next-firebase-auth icon indicating copy to clipboard operation
next-firebase-auth copied to clipboard

Published 20 hours ago verified publisher icon gladly-team

RFC: discuss value of Next.js middleware

Open kmjennison opened this issue 3 years ago • 10 comments

Next.js supports middleware, which this library could recommend as a way to integrate with next-firebase-auth. I'd like to gather input on whether middleware provides value that the current API (withAuthUser and withAuthUserTokenSSR) does not.

My initial assessment is that middleware usage could be a good option for apps where auth info is needed on many or all pages and the server-side auth/redirect settings don't change between pages. In this scenario, middleware could provide an AuthUser on the request object in getServerSideProps or redirect as needed.

However:

  • Middleware can't currently set return data or set React context; thus, unlike the existing API for SSR pages, AuthUser won't be set on the client side until the Firebase JS SDK initializes.
  • Middleware reduces flexibility on whether to use auth info on individual pages.

Feedback and input appreciated!

kmjennison avatar Jan 14 '22 19:01 kmjennison

First of all, congratulations on your job well done! I've been using it successfully for over a year. About Next.js middleware, what would be the approach to use since Node.js is not supported? It would not be possible to use the Firebase Admin SDK

Source: https://vercel.com/docs/concepts/functions/edge-functions#unsupported-apis

aprendendofelipe avatar Mar 18 '22 13:03 aprendendofelipe

Is that correct? It reads that only native Node.js APIs aren't supported.

From docs:

The Edge Runtime has some restrictions including:

  • Native Node.js APIs are not supported. For example, you can't read or write to the filesystem
  • Node Modules can be used, as long as they implement ES Modules and do not use any native Node.js APIs

That aside, there's not a clear use case for needing middleware yet. This thread has been quiet.

kmjennison avatar Mar 18 '22 17:03 kmjennison

Is that correct? It reads that only native Node.js APIs aren't supported.

The problem seems to be the fs module used by the Firebase Admin SDK

aprendendofelipe avatar Mar 19 '22 19:03 aprendendofelipe

I saw the addition of the recent getUserFromCookies function, I was wondering if it could be used inside the updated nextjs middleware to do basic authentication like this example here.

I see that getUserFromCookies is still using the admin SDK, but only if includeToken is true, wondering if it would make sense to either

  • Only require admin SDK if includeToken is passed
  • Or to inject verifyIdToken to getUserFromCookies... getUserFromCookies(ctx, verifyIdToken)

this way we can use getUserFromCookies inside middleware + API routes and have them running on the edge runtime

abusada avatar Aug 03 '22 08:08 abusada

@abusada That's a good idea and should be a pretty simple first step.

On top of that, we can probably support the same behavior as withAuthUserSSR if we modify the redirects to use NextResponse and are careful to avoid native Node APIs. We could pass the user in a request header (maybe X-NFA-User?).

kmjennison avatar Aug 04 '22 21:08 kmjennison

yes, that sounds great, I would gladly prepare a pull request with the changes, I'll try to have one ready by the end of the week

abusada avatar Aug 08 '22 06:08 abusada

Ended up here when researching the possibility of doing simple JWT verification in an edge middleware and redirecting end-user to /logout if that fails. I don't see a PR linked to this issue, was this change to getUserFromCookies ever implemented?

trymbill avatar Sep 08 '22 02:09 trymbill

@trymbill Not yet. PR welcome for this!

kmjennison avatar Sep 09 '22 21:09 kmjennison

Hey, any news about this? I'd like to call some protected apis from the middleware and I need a token for that.

Thanks

ancashoria avatar Nov 14 '22 11:11 ancashoria

Would love to get my auth code working on the edge.

izakfilmalter avatar Jan 04 '23 17:01 izakfilmalter