Redirect in middleware when request is a server action fails with "failed to forward action response"

[ehis]

Running: NextJS v14.2.3
Node: v20.5.1

Here's the permalink to the console.error in the action-handler.

Stack Trace on Vercel

failed to forward action response TypeError: fetch failed
    at Object.fetch (node:internal/deps/undici/undici:11731:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async r_ (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:15:4134)
    at async rP (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:15:7924)
    at async r5 (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/app-page.runtime.prod.js:18:1139)
    at async es (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:16:26320)
    at async ei.responseCache.get.routeKind (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:1026)
    at async r3.renderToResponseWithComponentsImpl (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:508)
    at async r3.renderPageComponent (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:5028)
    at async r3.renderToResponseImpl (/var/task/node_modules/.pnpm/[email protected]_@[email protected][email protected][email protected]/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:17:5615) {
  cause: Error
      at makeNetworkError (node:internal/deps/undici/undici:5002:35)
      at httpRedirectFetch (node:internal/deps/undici/undici:9994:16)
      at httpFetch (node:internal/deps/undici/undici:9954:28)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async schemeFetch (node:internal/deps/undici/undici:9854:18)
      at async node:internal/deps/undici/undici:9727:20
      at async mainFetch (node:internal/deps/undici/undici:9717:20)
}

[ehis]

hi @ztanner In our application, createForwardedActionResponse fetch request is failing when the middleware intercepts a server action request and based on some application logic (eg. invalid session) redirects the user to another page.

#64227

Example of condition and redirect in middleware.

const isMember = false

if (!isMember) {
   return NextResponse.redirect(new URL('/plans', request.url));
}

Hoping we can get a patch soon!

[ztanner]

Hi @ehis, thank you for the report! This should be fixed by #65097 which is available in v14.3.0-canary.27. Let me know if you're still seeing this behavior on/after this version.

[ehis]

@ztanner Thanks for the callout on getIsServerAction and only using to demonstrate behavior - not going to use in production code.

Correct, as presumed the end goal is for the middleware to intercept any server action triggered on /buy (including the forwarded action) and force redirect to the /plans page.

A practical use case for this flow could be the middleware intercepting an action and redirecting to the /login page because of an expired JWT.

If there's another recommended NextJS approach to doing the equivalent would love any suggestions 🙏🏾

[ztanner]

Hey @ehis --

I see, that makes sense! For the use-case you shared, some ideas/recommendations:

• Ensure your server action is performing the hard auth check, rather than solely relying on middleware (ex).
• If the user isn't logged in, your server action could trigger a redirect to the plans page, eg:

export const purchaseMe = async () => {
  const isLoggedIn = await verifyAuth()

  if (!isLoggedIn) {
    redirect('/plans')
  }

  return {
    foo: 'bar',
  }
}

• If you wanted to generalize this behavior, you could abstract it into a helper that's used on your non-public actions. e.g., await redirectIfUnauthorized())

[ehis]

@ztanner I see! If we perform the hard auth check in our server actions could we then exclude them from the middleware?

eg.

export const config = {
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - api (API routes)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico (favicon file)
     */
    {
      source:
        '/((?!api|_next/static|_next/image|media|fonts|favicon.ico|favicon.png).*)',
      missing: [
        // Exclude Server Actions
        { type: 'header', key: 'next-action' },
      ],
    },
  ],
};

[ztanner]

@ehis, yep, no need to handle in middleware! You can think of it similar to an API route where you'd have the auth check at the top of the request handler.

[ehis]

thanks so much @ztanner and really appreciate the response to the help discussion!!

[Enzo-PVsyst]

hey, I had a similar issue, and I could solve it by adding the missing field. However I don't really understand why excluding server actions does the trick, and even more, how is this line excluding server actions ?

My use case was an auth process with jwt token and refresh token, that would redirect to login when the session was expired

[harsha-at-magicshake]

@Enzo-PVsyst Same in my case.
My use case is something like this:

middleware.ts

const testAuth = await isAuthenticated();
  console.log(testAuth, "in middleware");

  if (testAuth) {
    return NextResponse.next();
  } else {
    return NextResponse.redirect(new URL("/login", request.url));
  }
 }
// matcher config that excludes login and some other essentials

login/page.tsx

"use client";

import { useRouter } from "next/navigation";
import { makeAPICall } from "../utils";

export default function Home() {
  const router = useRouter();

  const handleSet = async (value: number) => {
    await makeAPICall(value); // added this implementation at the end. (utils.ts)
    // redirect("/v4") // commented because it's throwing NEXT_REDIRECT error.
    router.replace("/v4");
  };

  return (
    <main className="space-x-4">
      <button onClick={async () => await handleSet(1)}>Set Cookie</button>
    </main>
  );
}

v4/page.tsx

"use client";

import { useRouter } from "next/navigation";
import { makeAPICall, onSubmit } from "../utils";
import clearCachesByServerAction from "@/customCacheClear";

export default function Home() {
  const router = useRouter();

  const handleSet = async (value: number) => {
    await makeAPICall(value);
    clearCachesByServerAction("/");
    if (value == -1) {
      router.replace("/login");
    }
  };

  return (
    <main className="space-x-4">
      <button onClick={async () => await handleSet(-1)}>Logout</button>
      <button onClick={async () => await handleSet(0)}>Get Cookie</button>
      <button onClick={async () => await handleSet(1)}>Set Cookie</button>
      <button onClick={async () => await handleSet(2)}>Refresh Cookie</button>
    </main>
  );
}

utils.ts

"use server"

export const isAuthenticated = async () => {
  const value = await getCookie();
  if (value) {
    return true;
  } else {
    return false;
  }
};

export const setCookie = async () => {
  cookies().set("client", "settingCookie");
};

export const deleteCookie = async () => {
  cookies().delete("client");
};

export const setNewCookie = async () => {
  cookies().set("client", "settingNewCookie");
};

export const getCookie = async () => {
  const value = cookies().get("client");
  console.log(value?.value ?? "Not found!");
  return value?.value;
};

clearCacheByServerAction.ts

"use server"
import { revalidatePath } from "next/cache"

const clearCachesByServerAction = async (path: any) => {
try {
  if (path) {revalidatePath(path)} 
else {
  revalidatePath("/")
  revalidatePath("/[lang]")
}
} catch (error) {
  console.error("clearCachesByServerAction=> ", error)
}
}
export default clearCachesByServerAction

Use case:

When I click on logout, the cookies gets deleted, but still, apparently, in the middleware, the log shows
true -> which states user is authenticated

The intended action was to navigate to /login which wouldn't happen without putting clearCacheByServerAction
As per my understanding, when I clear cache, the middleware is hit again, then it shows false, hence it gets redirected.
In this scenario, I am getting the error.

Now my queries are:
Is it okay to get it?
Is it intended?
Can I go ahead to production without handling it?
Why redirect("/") getting NEXT_REDIRECT error?
Can I include checking the token validity logic in middleware.ts and handle refresh token there? Or is it heavy to do so?
Assuming makeApiCall is a helper which calls all my routes, from all the screens, can I use it to intercept the responses, (I handled the token expiry with custom code) so that I can check it and do another API call to refresh token, set new cookies, then perform the actual api call?

@ztanner

Apologies in advance if the queries seem to be silly, since I did not find any proper resource for handling the cookies from route.ts, middleware.ts etc.

[Daniel-Ash]

Hey @ztanner - so to confirm, are you saying that you can't use middleware for auth redirects when using server actions? It would be great if this was supported, or added to the middleware docs as a limitation as it can lead to bugs that are tricky to pin down!

[VivekGupta137]

I came across to this problem as well, IMO, having the redirects at middleware level made more sense, instead of duplicating same logic in more than one place ( one at middle ware and others at each server action ).
I feel that if I made the middleware that captures all the requests for a particular page ( including all the server actions calls ), and that route is only for authenticated users, then it makes less sense to have separate duplicate logic in each of the server actions for that page.

My dependencies:
"dependencies": {
"react": "^18",
"react-dom": "^18",
"next": "14.2.14"
}

in the middleware.ts file:
`import { NextResponse } from "next/server";
import type { NextRequest } from "next/server";

export function middleware(request: NextRequest) {
const token = request.cookies.get('access_token');

const isAuthenticated = !token? false : true;
if (!isAuthenticated) {
    const response = NextResponse.redirect(new URL('/?error=not-authenticated', request.url));

    return response;
}
return NextResponse.next();

}

export const config = {
matcher:[ "/gqlclientcheck/:path*", "/gqlservercheck/:path*"],
};`

[ollebergkvist]

@ztanner

We're in October now, and the docs are still not updated, it should clearly reflect this conflict between server actions and running auth in middleware. Would probably save other devs from running into this.. 🙏

Thanks to finding this closed thread we were able to solve a major headache in our auth flow.

We disabled middleware for server actions by checking this condition in our conditional statement:
const isServerAction = request.headers.get('next-action')

And added explicit checks in each action instead.

[J4v4Scr1pt]

Thanks for this thread and the "work arrounds" I was pulling my hear on this one 😅

[axten]

I solved redirection of server actions in middleware with setting the corresponding header:

// middleware.ts
    ...
      const hasSession = request.auth && !request.auth.isExpired;
      const isAction = request.method === 'POST' && request.headers.has('Next-Action');
    
    // since middleware cannot redirect server actions directly, the corresponding header gets set
    if (!hasSession && isAction) {
      response.headers.set('x-action-redirect', `/login?callbackUrl=${encodeURIComponent(request.nextUrl.toString())}`);
     return response;
    }
    ...