v4: Mounted routes are not reached with `trailingSlash: true` in next.config.js

[kkowalczuk]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

After following the V4 migration guide and enabling route protection via middleware:

export async function middleware(request: NextRequest) {
  const authRes = await auth0.middleware(request)

  // authentication routes — let the middleware handle it
  if (request.nextUrl.pathname.startsWith("/auth")) {
    return authRes
  }

  const { origin } = new URL(request.url)
  const session = await auth0.getSession()

  // user does not have a session — redirect to login
  if (!session) {
    return NextResponse.redirect(`${origin}/auth/login`)
  }

  return authRes
}

All the unauthorized requests (when there's no session data yet - user is not logged in) end up hitting /auth/login/ (note the trailing slash) which resolves in 404 (Not Found) page being displayed when trailingSlash: true option is enabled in next.config.js. Removing the trailingSlash configuration or setting it to false fixes the problem, but I do not think the library clients should be forced to disable it.

Reproduction

1. Use the middleware from V4 migration guide to protect the routes and redirect to /auth/login when the session data is missing;
2. Add trailingSlash: true option to your next.config.js;
3. Hit any of your application's routes (or <your_app_url>/auth/login directly) in Incognito;
4. Expect the generic 404 (or custom /_not-found page) to be displayed and <your_app_url>/auth/login/ in the URL bar after being redirected to <your_app_url>/auth/login.

Additional context

When trailingSlash option is set to true, req.nextUrl.pathname contains the trailing slash, hence this exact pathname check from auth-client.ts evaluates to false and does not intercept the request with the handleLogin call. Same happens with other URL-based conditions defined in handler.

nextjs-auth0 version

4.0.2

Next.js version

14.2.13

Node.js version

20.18.2

[tusharpandey13]

Thanks for bringing this to our attention, we will look into this and respond shortly

[tusharpandey13]

A PR has been raised for this issue, please trach the PR for more details: #1948