Відео

When I stumbled on this exact situation, I thought I was losing my mind. I eventually reached the same conclusions as you, and I ended up just using token strategy for things like /admin access (protected routes), then check more granular permissions downstream.

You guys are still using next auth? Previous auth is where it's at.

Where does layout get rendered? Is it only the client or server or both?

Cody's advise near the end takes "testing in production" to a new level.

Your videos are helpful, Thanks alot❤ deserved a Sub🎉🎉

Smells like Vendor Lock to me.

Please, code

Which is why going into 2025 we don't use JavaScript on the server

What's your opinion on selling a saas that is built as lets say dockerized instances for each customer vs having one system with multitenancy approach? I started with a multitenant approach and realized that it gets more complex as having one database with tenant_Ids everywhere. Also when it comes to logging and dashboard usage, I would like to tell which customer is doing what on which system. But the thing I like with the tenant approach is that getting a payment and setting it up can be easy for the customer and then you have the ability to switch between tenants which is something i've seen on another software. Keep in mind. I am leaning towards getting rid of the multitenant system just in case a customer asks for an on-premise solution.

That was really helpful!

you can filter your pathnames that pass through the middleware by using the exported config object also I tend to do the pattern you mentioned of doing ifs on the pathname for specific cases

we need this site live! it's amazing

I’ve struggled with this as well. Not really sure what best practices might be, but at this point I just do a basic access check in middleware for admin routes or user routes to check for authentication. This at least protects my sensitive route groups, but then I do a fine grained authorization on page level for access control. Not ideal, but works.

At this point, I just hate Next.js. Just using MERN stack does the job for me.

I always get confused with Auth, please make a tutorial on Next auth once you figure it out😂

you can probably use auth() function from v5 and see if this works

because nextjs doesn't give you an actual middleware, in a nodejs app you expect the middleware to be the same, simple and incredibly useful one that was using app.use in express but because of all of this caching bs they make it impossible to make dynamic responses based on data that can change, it's pretty stupid and they should give an option to disable all the caching bs with one config command.

i have the same problem with Crypto module of node js in middleware. i was using JWT package in the middleware and JWT uses crypto module of node js. so i ran into the same issue when try to use Turbopack. i opened issue 64464 and mentioned the problem. Tim Neutkins commented on the issue and fixed it. so in the canary version 14.3.0 the issue has been resolved.

wdym token set for 30 days? you can manually change the cookie age on the auth config and everytime session is called the jwt is refreshed

Didn't use next-auth but I had to use firebase auth with Next.js Middleware, and there was a package that saved my ass called next-firebase-auth-edge, but even that was kinda complicated to set up, especially on the frontend.

I used drizzle and I hated :(.

can use it for jwt strategy ? session: { strategy: "jwt", maxAge: 30 * 24 * 60 * 60, updateAge: 24 * 60 * 60, },

The solution should be pretty easy, although not much elegant! you could just fetch the session like this: await fetch(`${req.nextUrl.origin}/api/auth/session`, { headers: { cookie: req.headers.get("cookie") || "", }, })

If only angular existed. { path: "dashboard", component: DashboardComponent, canActivate: [() => authenticationGuard()], } My biggest gripe with anything react based is everyone tries to invent his own shitty version of what should be a standard part of the library. Angular much better, each project has a clear defined structure, yes ng-for ect ect was really annoying but it's no longer a thing, since 17 i do think it's much better than any react based "framework" out there.

Your middleware file should export a config with a matcher pattern to not be called with every file request. Just like in nextjs docs. export const config = { matcher: [ /* * Match all request paths except for the ones starting with: * - api (API routes) * - _next/static (static files) * - _next/image (image optimization files) * - favicon.ico (favicon file) */ '/((?!api|_next/static|_next/image|favicon.ico).*)', ], }

Hey Cody, noob question here, does this mean that the middleware won't run on VPS anymore? or it's just can't run some packages on middleware?

Also relying on authorization checks in layouts isn't gonna be 100% secure. You can request an RSC payload by just adding a search param and it can return the children of layout (Page.tsx in this instance) without even executing layout.tsx Auth checks in page.tsx are unreliable in the same fashion. sources: ua-cam.com/video/EGDD0rlBd8Q/v-deo.html ua-cam.com/video/v6UvgfSIjQ0/v-deo.html

What about opennext?

I was so stuck on this issue. Thank you so much!!!

that "additional plugins required to handle cloudflare: URIs" error is due to pg not working well on the edge runtime (which the next.js middleware runs on). If you move to something like neon or @vercel/pg (also works with supabase), which uses HTTP to connect to the db, it works just fine. otherwise there's a weird webpack override that you can set in next.config.js but that doesn't seem to work anymore on Next 14.1 and above?

@WebDevCody React query can fix this problem. Vanilla NextJS with server actions and revalidatePath is not always the complete solution.

Another shitty thing about next middleware is you only have one middleware file. Youd expect it to work at every point you can add a page

I have a problem with the minecraft server hosting project I am trying to practice but when I run the agent it gives me an error and I can only run the client please help thanks

I have a problem with the minecraft server hosting project I am trying to practice but when I run the agent it gives me an error and I can only run the client please help thanks

Yes, this is not next-auth related issue. Idk why tons of ppl think this way, it happens on anything if you are using non-supported node packages on Edge Runtime. A workaround to fix this is, you can use your API inside middlewares. Instead of using await getCurrentUser() directly, have an API endpoint that returns that so you can use fetch to get this data.

You could try using the neon serverless driver with the neon drizzle adapter. That's my current setup to query Supabase from Drizzle Neon in Nextjs middlewares/routes hosted on cloudflare

I use Vike

I had the same issue not too long ago. I ended up creating an API endpoint which takes care of the db call, and then calling that from the middleware. Not the prettiest solution, but it worked 🤷‍♂

This had to do with the middleware being configured to run on the edge only. I personally use Lucia auth with database sessions and use Drizzle with a MySQL database deployed on my server. The middleware does not allow me to query the DB at all to validate the session because of this edge/node issue. Also at 6:37, I would not recommend doing auth checks or get the user in the layout but rather in a template. The reasoning behind that is that the layout won't be triggered again on client routing between pages. A template will retrigger getting the user or validating the user to make sure it's up to date.

cool video. I have a problem with the minecraft server hosting project I am trying to practice but when I run the agent it gives me an error and I can only run the client please help thanks

Next.js is way, way too coupled to Vercel's opinionated deployment strategies. I don't mind if a framework is opinionated; that usually just means there's a defacto "right way" to do anything you'd need to. But how on God's green earth does it make sense for a Node-based framework to ONLY allow "edge-friendly" libraries...? You'd think they'd have a config option to allow you to opt INTO an edge-based middleware...but since Next is designed to be deployed to Vercel I guess it's not a priority. I've been getting more and more frustrated with Next lately, I hope a new stable RSC-framework arrives soon but maybe that's unrealistic.

I have had the same issues with nextauth, I feel like the Middleware is more hassle than it's worth lol

Time to move to Remix/Nuxt.

I got the same problem, my dirty workaround was to proxy the database calls with a secret key. Checkout the proxy section in drizzle docs for Postgres.

All the abstraction and inability to control your code at the right level is why I don’t bother with next anymore.

You can use the middleware matcher from clerk here to run everywhere except static files to prevent that many session calls but it may still do a few more than expected

I've tried using next-auth few times and I never had a good experience. Bad docs and cryptic errors all the time. Managed to get it working, but left a bad impression. I usually work on projects where backend is separate from the Next.js app so in middleware I don't have these issues because I just ping an external API for all this session information and don't need next-auth at all really. Regarding 4:50 and middleware running on all requests, that's mentioned in docs and there is a "matcher" config you can specify to ignore api routes, static files etc. We developers need to learn to read docs better because I also jump into stuff immediately without actually reading few paragraphs first. As far as edge goes, I think Vercel just went in too deep into that with Next.js and it's causing a frustrating experience. Even they are stepping back from some of the ideas they have been pushing and admitted they were wrong, which is good.

From my experience there is no way to make NextAuth play nice with Edge Middleware, I have no idea why they coupled "Middleware" the programming pattern to Edge-Middleware the microservice. It feels like such a massive, hopefully unintentional, design flaw to not just have both and have them be different things. If I want some micro-service to run, possibly closer to the user, before my requests, have that be one thing and then you can have a function that runs before my requests on the same deployment be another thing. What I ended up doing with next-auth and edge middleware was just checking if the request had a next-auth cookie, that way I didn't have to include the library in the middleware microservice, but I was in the same situation were I was deploying to a company's internal Kubernetes environment and there was no reason for me to deploy my middleware as a microservice with a different runtime.

Middleware is only for edge runtime right now

Try clerk or lucia auth