Getting bad usage, Minimum usage is const session = await getIronSession(...)

[swtmply]

I'm using iron-session/next in my login api route I'm getting this error whenever I try logging in.

This is the code I'm using

import type { NextApiRequest, NextApiResponse } from "next";
import query from "../../lib/db";
import bcrypt from "bcrypt";
import { withIronSessionApiRoute } from "iron-session/next";
import { sessionOptions } from "../../lib/session";

export default withIronSessionApiRoute(loginRoute, sessionOptions);

async function loginRoute(req: NextApiRequest, res: NextApiResponse) {
  if (req.method === "POST") {
    try {
      const user: any = await query({
        query: "SELECT * FROM users WHERE email=?",
        values: [req.body.email],
      });

      const isMatched = await bcrypt.compare(
        req.body.password,
        user[0].password.replace("$2y$", "$2a$")
      );

      if (!isMatched)
        res
          .status(400)
          .json({ message: "Invalid Credentials, Please try again." });

      if (user.length === 0)
        res.status(401).json({ message: "User is not found" });

      req.session.user = user;
      await req.session.save();

      res.status(200).json({ ok: true });
    } catch (error) {
      res.status(500).json({ message: (error as Error).message });
    }
  }
}

[chuyihuang]

If you follow the instruction, use withIronSessionApiRoute and req.session.save(), it won't work!. However, it works in withIronSessionSsr.

[vvo]

Hey there, I just tried the instructions again here: https://github.com/vvo/iron-session#nextjs-withironsessionapiroutehandler-ironoptions--req-nextapirequest-res-nextapiresponse--ironoptions--promiseironoptions

and it worked all good.

Can you console.log(sessionOptions), remove the secret and paste them here? Thanks

[nordowl]

I was facing the same issue. This solution works perfectly for me:

/lib/auth/session.js

import { withIronSessionApiRoute, withIronSessionSsr  } from "iron-session/next";

const sessionOptions = {
    cookieName: "userSession",
    password: process.env.SECRET_COOKIE_PASSWORD,
    cookieOptions: {
        secure: process.env.NODE_ENV === "production",
    },
};
 
export function withSessionSSR(handler) {
    return withIronSessionSsr(handler, sessionOptions)
}

export function withSessionAPI(handler) {
    return withIronSessionApiRoute(handler, sessionOptions)
}

/pages/api/auth/login

import axios from "axios";
import { API_URL } from "../../../lib/apiChanger";
import { withSessionAPI } from "../../../lib/auth/session";

export default withSessionAPI(
    async (req, res)=> {

        const {identifier, password} = req.body;

        // Log in via Strapi and get user + JWT
        const { data } = await axios.post(`${API_URL}/api/auth/local`, {
            identifier, password
        })

        req.session.user = await data;
        await req.session.save();
        res.status(200).json({success: "Logged in"});

    }
)

[karelbecerra]

Hi, had same error but was my mistake. I opened a new terminal and forgot to set SECRET_COOKIE_PASSWORD

export SECRET_COOKIE_PASSWORD = xxxxxxxxxxxx

[zedrdave]

It would be really helpful if the error message correctly identified the missing env var. Current error is absolutely impossible to debug.

[gamertense]

Adding an environment variable works for me, but I have to add a prefix to it for NextJS project:

IRON_SESSION_SECRET=

[jkiss]

I got same error, resolve this by adding environment variable. If password is undefined, it will throw this error.