Replies: 20 comments 65 replies
-
And will a middleware for fetch requests be possible? Because currently the middleware is only for nextjs routes and not for fetch requests. A typical use case could be to automatically add an authorization token to request headers, detect when a fetch request gives a 401 error and do something about it, etc. This could apply to fetch requests made from the server or client component. |
Beta Was this translation helpful? Give feedback.
-
Dumb question here: Where will it run? in the edge network (close to the client) or in the server (close to the DB)?? |
Beta Was this translation helpful? Give feedback.
-
Is there a current RFC (draft or finalized) for this work? |
Beta Was this translation helpful? Give feedback.
-
I've been eagerly awaiting this feature in Next.js that would simplify authentication on every route for my app. Unfortunately, Version 15 didn't include this. Currently, my production app requires authentication on each route. However, due to the middleware edge runtime limitations, I'm forced to fetch an additional endpoint, Considering this limitation, I've begun exploring other React frameworks. Interestingly, the official React documentation now recommends Next.js App Router. I'm torn between migrating to a different framework or patiently waiting for this essential feature. I believe many developers face similar challenges. |
Beta Was this translation helpful? Give feedback.
-
@leerob thanks for sparking this up! 🔥 Enabling nodejs runtime in the middleware, self-hosted, would allow everyone to use libraries such as Looking forward to it! |
Beta Was this translation helpful? Give feedback.
-
@leerob Node.js runtime in the middleware would be awesome! My challenge with middleware is that certain APIs, like The workaround I had to use was creating a new API endpoint just for decryption. Decrypting my cookie value directly from middleware would be wonderful and simple. |
Beta Was this translation helpful? Give feedback.
-
I'm using NextAuth with Next.js 15 and the app router. After a user signs in (via an OAuth identity provider), I need to fetch some additional user information from a 3rd-party-system, which I'd like to add to the JWT in the cookie (because the information is used on every page). Unfortunately, the library necessary for the data fetching is not edge-compatible and during a Next build I get errors complaining about using Node.js-specific calls in my middleware (which uses NextAuth to protect the whole app from being accessed unauthorized). I worked around this by splitting my NextAuth config into two variants: a basic one which can be used in the middleware and a full-fledged one which does the additional fetching of user information. This does the job, but it's a nasty workaround IMHO. The application is supposed to be stateless (no additional database, Redis cache, etc.) and deployed on Kubernetes. @leerob Do you think in that case, running the middleware with the (aforementioned) Node.js runtime would be a feasible solution? Or is there some other (better?) approach which I might be missing? Fetching the data in a page and then utilizing |
Beta Was this translation helpful? Give feedback.
-
I think currently Next.js just isn't good for applications that need authentication, unless you don't know how to handle auth and use Clerk. Next.js middleware doesn't have the ability to set context in the actual app. Even when I check the user session in middleware, I still have to check it again in the actual app to get the user because I can't pass the user from middleware to the application. Not to mention that to check the session in middleware, I have to do it through an HTTP request to the API, because currently middleware is limited to running only on the edge, supposed vercel infra. I'm supposed to use vercel serverless postgresql db to call db inside middleware or what? You're supposedly working on adding Node.js runtime support to middleware (one if statement, maybe more because it needs to be compatible with vercel infra), but at this pace I don't know if you'll manage to announce it at Next.js conf 2026. An alternative, if you ever manage to add it, will be the mentioned request interceptors, but it still won't be a 100% good alternative for handling auth because you won't be able to modify cookies/headers there. Pilcrow (lucia-auth creator) gave you a good idea on how to solve this problem #70961 (comment), but you wrote that it's an intentional limitation because that's what middleware is for. How we are supposed to handle auth then? Seriously, does nobody at vercel know how to do auth and they just use sponsored auth saas solutions like Clerk, that they don't see any problem here? Or do you just want clients to pay you double for checking user sessions? |
Beta Was this translation helpful? Give feedback.
-
+1 with OreQr, this is still my single biggest gripe with NextJS. As a beginner/intermediate developer, NextJS not having a proper and safe way to handle authentication (and authorization!) within middleware (or anything at all) completely throws me off. I'm working on a large project now using auth.js with dozens of pages requiring different authorizations and it blows my mind how messy and unsafe it is right now. Even though I cache everything in JWT and only do a database pull once on login, NextJS won't allow me to use it in middleware because it imports an "unsafe library" (never used in middleware anyways).
export async function validate(route){
user = auth();
if(!user.validated) {redirect("/login")};
const favColor = await myDB.get( user.id ).color;
return ( route( {favcolor:favColor} ) );
}
import { validate } from './requesthandler.ts';
@validate
export default function MyPage( params ){
return ( <p>My favorite color is {params.favcolor}</p> )
}
I know it couldn't look exactly like this because of how finicky ts/js decorators are but surely there's a way to accomplish something similar, at least. Again, I'm by no means an expert, but this is how I intuitively expect a system like this to work from prior experience with other frameworks. In my mind this fixes both the problems with redundant code for the developer and my personal problem with middleware now regardless of runtime, which is that it feels very non-nextjs/typescripty to have only a single middleware "program" that runs on everything and the need to hack together solutions for each page with regex and parsing request strings manually. I feel like a much more deterministic approach where you apply your own cookie-cutter "mini-middlewares" to each page just feels much more confident. |
Beta Was this translation helpful? Give feedback.
-
Typically we'd make an auth check for every non-public route. Just checking if there is some bearer token, cookie or whatever form of identification. And then save the user data ( or that it's anonymous) to be available for later handlers. For some routes/route groups you might redirect instantly, for some not, it depends. Some have additional middleware etc. One of the points of this is to have a standard interface for accessing the user data later. So whatever authentication methods, services and libraries are used, after auth middleware the user model is the same. So basically authentication is entirely separated from the rest of the application which means there are less dependencies for the "web" part. Which means less code to bundle, faster build, faster apps. So any opportunity to move logic to the "server layer" that runs separate from "React layer" is a welcome addition. Maybe there are just very different views about this. Also there's a question about how much sense it makes to use Edge middleware when the data is in one location anyway. Might as well run the middleware there |
Beta Was this translation helpful? Give feedback.
-
Hello, do you have any ETA for this feature? Could you also explain why config flag for this feature was removed before? |
Beta Was this translation helpful? Give feedback.
-
Currently, neither pino nor winston work out of the box for middleware logging. So we have to create two spererate instances of a logger for middleware files and server side code. See this discussion |
Beta Was this translation helpful? Give feedback.
-
Will we be able to use the Data Cache inside of middleware when using the nodejs runtime? |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
I don't believe it has been mentioned but I'm currently trying to get CSP to work for static pages so that I can continue to have the benefits of the CDN rather than force my entire site to become dynamic and slow for the sake of added security. Middleware can be used to generate nonces for dynamic pages so there is no issue there. However, I currently have a script in my build pipeline that generates hashes for the static pages and these hashes need to be passed to the middleware so that it can include them in the CSP header - but that is where I am hitting a wall. There is an issue here where I would need to insert my hash-generating script after the generation of the static pages but before the middleware gets compiled (if that is even the build order with NextJs - I couldn't find an answer to this). This would allow me to insert the hashes before the final compilation of the middleware. Since that is not possible, I have to run my hash-generating script after This is all pretty complex stuff if you compare to having a runtime where I could just write to a file and read from that file. It is added overhead compared to replacing the token in-file so that it becomes static but I bet many people would prefer the overhead of using In my opinion, there is a very nice opportunity here to allow for an easy setup of CSP for static pages with a middleware runtime that is less limiting. A kind of two-birds-one-stone situation. |
Beta Was this translation helpful? Give feedback.
-
I'm implementing error handling with the new |
Beta Was this translation helpful? Give feedback.
-
@leerob Is there a timeline for this issue? |
Beta Was this translation helpful? Give feedback.
-
Another use-case which, due to this limitation, is probably impossible to achieve at the moment with Next.js: Store session data in Redis and validate the session in a Next.js middleware. ioredis and node-redis are both not edge-compatible. No, I don't want to use Upstash. I want to use the same stable libraries and approaches I have been using for years before Next.js took it all away. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
I have a similar use case to @anupsquare , I have to fetch user data in the middleware, I created a new endpoint as mentioned by him, but I still have the problem that I want to store the user information (ideally) in the request object just as I did with express. I understand this might not be the best solution, but, what would be it? I'm not sure if sending the user through cookies or headers is the correct approach (perhaps it is) |
Beta Was this translation helpful? Give feedback.
-
We are actively working on supporting the use of the Node.js runtime for Next.js Middleware.
This discussion is a follow up from #46722 to allow folks to get notified as progress is made.
Beta Was this translation helpful? Give feedback.
All reactions