`getSession(req)` fails in middleware: `req instanceof NextRequest` returns false

[arklanq-patronus]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When calling getSession(req) from inside a Next.js Middleware, the following check inside the library fails:

nextjs-auth0/src/server/client.ts

Line 362 in 0e83495

if (req instanceof NextRequest) {

// src/server/client.ts:362
if (req instanceof NextRequest) {
  ...
}

This is because in the Middleware context, request object is not an instance of NextRequest, but rather NextRequestHint, which is structurally similar but does not inherit from NextRequest. As a result, the condition returns false, and the wrong branch of logic is executed (falling back to createRequestCookies(req) which expects a different shape).

req is of type NextRequest, but it’s not an instance of NextRequest. Its prototype is NextRequestHint.

As a result, if I invoke getSession(req), providing req: NextRequest, I get an error:

 ⨯ TypeError: Headers.append: "append(name, value) {
        webidl.brandCheck(this, _Headers);
        webidl.argumentLengthCheck(arguments, 2, "Headers.append");
        const prefix = "Headers.append";
        name = webidl.converters.ByteString(name, prefix, "name");
        value = webidl.converters.ByteString(value, prefix, "value");
        return appendHeader(this, name, value);
      }" is an invalid header value.
    at refreshAccessTokenEndpointHandler (src/server__new/auth/providers/auth0/refresh-access-token/refresh-access-token-endpoint-handler.ts:36:35)
    at auth0RouterMiddleware (src/server__new/auth/providers/auth0/router-middleware.ts:40:47)

You need a better way to distinguish between a middleware usage and pages router usage than simple instanceof check (which doesn't work):

    async getSession(req) {
        if (req) {
            // middleware usage
            if (req instanceof NextRequest) {
                return this.sessionStore.get(req.cookies);
            }
            // pages router usage
            return this.sessionStore.get(this.createRequestCookies(req));
        }
        // app router usage: Server Components, Server Actions, Route Handlers
        return this.sessionStore.get(await cookies());
    }

Reproduction

middleware.ts

// imports, config

export async function middleware(request: NextRequest) {
  const authRes = await auth0.middleware(request);

  if (request.nextUrl.pathname.startsWith("/auth")) {
    return authRes;
  }

  const session = await auth0.getSession(request);

  if (!session) {
    // user is not authenticated, redirect to login page
    return NextResponse.redirect(
      new URL("/auth/login", request.nextUrl.origin)
    );
  }

  // the headers from the auth middleware should always be returned
  return authRes;
}

Additional context

getAccessToken method is affected as well because it utilizes getSession under the hood.

Related:

• Headers.append: xxx is an invalid header value #2219
• bugfix: ignore enumerable functions when copying headers in Pages-router #2225

nextjs-auth0 version

4.9.0

Next.js version

15.4.2-canary.26

Node.js version

v22.15.0

[frederikprijck]

This is because in the Middleware context, request object is not an instance of NextRequest, but rather NextRequestHint, which is structurally similar but does not inherit from NextRequest.

Interestingly, NextRequestHint does extend NextRequest: https://github.com/vercel/next.js/blob/0985b2318645f1f7c267624388279528d8d44695/packages/next/src/server/web/adapter.ts#L39

Additionally, the docs also show that the request is of type NextRequest: https://nextjs.org/docs/14/app/building-your-application/routing/middleware.

For me the middleware check works fine when using req instanceof NextRequest:

import { NextRequest, NextResponse } from 'next/server';

export async function middleware(request: NextRequest) {
  const isInstanceofNextRequest = request instanceof NextRequest;

  if (isInstanceofNextRequest) {
    console.log('Request is an instance of NextRequest');
  } else {
    console.error('Request is not an instance of NextRequest');
  }

  return NextResponse.next();
}

Which gives me:

Can you provide some more context on the behavior you are seeing to help us understand what is going on?

[arklanq-patronus]

This is because in the Middleware context, request object is not an instance of NextRequest, but rather NextRequestHint, which is structurally similar but does not inherit from NextRequest.

Interestingly, NextRequestHint does extend NextRequest: https://github.com/vercel/next.js/blob/0985b2318645f1f7c267624388279528d8d44695/packages/next/src/server/web/adapter.ts#L39

Additionally, the docs also show that the request is of type NextRequest: https://nextjs.org/docs/14/app/building-your-application/routing/middleware.

For me the middleware check works fine when using req instanceof NextRequest:

import { NextRequest, NextResponse } from 'next/server';

export async function middleware(request: NextRequest) {
  const isInstanceofNextRequest = request instanceof NextRequest;

  if (isInstanceofNextRequest) {
    console.log('Request is an instance of NextRequest');
  } else {
    console.error('Request is not an instance of NextRequest');
  }

  return NextResponse.next();
}

Which gives me:

Can you provide some more context on the behavior you are seeing to help us understand what is going on?

Huh? That's interesting. I literally copy-pasted your code and for me it says "Request is not an instance of NextRequest".

I investigated an issue further and it seems that:

• For runtime: "nodejs" the output is "Request is not an instance of NextRequest".
• For runtime: undefined (default = edge runtime) the output is "Request is an instance of NextRequest".

export const config = {
  // runtime: "nodejs",
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - api (API routes)
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - .*\..* (static assets from public directory)
     */
    "/((?!api|_next/static|_next/image|.*\\..*).*)"
  ]
};

I’m using the Node.js runtime for Middleware because I’ve integrated a Redis database for session storage. The redis package is a Node.js-specific implementation that only works in the Node.js environment.

It seems that the results of my earlier investigation into the source of the error were partially incorrect, for which I apologize.

[frederikprijck]

Interesting ,so I change runtime to be "nodejs", and this is my full middleware file:

import { NextRequest, NextResponse } from 'next/server';

export async function middleware(request: NextRequest) {
  const isInstanceofNextRequest = request instanceof NextRequest;

  if (isInstanceofNextRequest) {
    console.log('Request is an instance of NextRequest');
  } else {
    console.error('Request is not an instance of NextRequest');
  }

  return NextResponse.next();
}

export const config = {
  runtime: 'nodejs',
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico, sitemap.xml, robots.txt (metadata files)
     */
    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
  ],
};

And when I run, I get:

GET / 200 in 706ms
Request is an instance of NextRequest
Request is an instance of NextRequest
Request is an instance of NextRequest
Request is an instance of NextRequest
Request is an instance of NextRequest

I am using nextjs 15.4.5, but I also have the same, correct, behavior when using 15.4.2-canary.26.

[arklanq-patronus]

Hey, a lot has been going on lately, I haven’t had time to prepare the repro repo, I’ll get back to it next week.

[frederikprijck]

No worries, thank you very much for circling back to us.

[SimonVadier]

I found the source of this issue, it happens when using Turbopack.

When running next dev everything works as expected, but with next dev --turbopack the request object isn't a proper instance of NextRequest despite having the same shape.

This seems like a Next.js issue with how Turbopack constructs request objects. A simple fix would be to check for properties rather than using instanceof - this would be a good workaround until Next.js addresses this.

---

For a quick repro:

• Create a Next app pnpm create next-app@latest my-app --yes
• Add a middleware that checks instanceof:

import { NextRequest, NextResponse } from "next/server";

export async function middleware(request: NextRequest) {
  const isInstanceofNextRequest = request instanceof NextRequest;

  if (isInstanceofNextRequest) {
    console.log("Request is an instance of NextRequest");
  } else {
    console.error("Request is not an instance of NextRequest");
  }

  return NextResponse.next();
}

export const config = {
  runtime: "nodejs",
  matcher: [
    /*
     * Match all request paths except for the ones starting with:
     * - _next/static (static files)
     * - _next/image (image optimization files)
     * - favicon.ico, sitemap.xml, robots.txt (metadata files)
     */
    "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
  ],
};

• Run with turbopack: next dev --turbopack -> Request is not an instance of NextRequest
• Run without turbopack: next dev -> Request is an instance of NextRequest

[tusharpandey13]

Closing this due to inactivity. Please feel free to reopen if you are still experiencing this issue and can provide a reproduction.