NextAuth middleware is blocking authenticated users

[dgrcode]

EDIT: It looks like this issue #5008 is the source of the problems.

Question 💬

For some context, I'm using NextJS, Supabase (db hosting), Prisma, and NextAuth for authentication.

It seems like the Users are getting created properly in the database, but I don't see Sessions in the database. The frontend, however, is getting some session.

const { data: session } = useSession()
console.log(session)

// returns
// {
// expires: "2022-09-01T19:44:05.992Z"
// user:
//   email: {my email}
//   image: {my twitter pic url}
//   name: "Daniel Reina"
// }

I've been investigating. What I've found is that the jwt token in the middleware is null. I've replaced:

// before debugging
export { default } from 'next-auth/middleware'

// during debugging
import type { NextRequest } from 'next/server'
import { getToken } from 'next-auth/jwt'

export async function middleware(req: NextRequest) {
  const jwt = await getToken({ req })
  console.log(jwt) // <-- this is always `null`
}

I've git-checked older commits where the middleware was working as expected. After git-checking I reseted the db and pushed the schema at that point in time with:

npx prisma migrate reset
npx prisma db push

But I keep having the same problem. That makes me think the issue is not related with my code, but something must be funny with schemas/versions/dependencies or something like that.

Very funny stuff I just found out. I've setup the debugger with Nextjs, and I've added a breakpoint on "node_modules/next-auth/jwt/index.js", just inside the getToken function. Funny stuff:

1. The middleware call to getToken doesn't trigger the breakpoint 🧐
2. Calls to getToken from the page's getServerSideProps do trigger the breakpoing.

Very weird, but ok. I went and drilled down with "Step into" from the middleware call to getToken. It opens a different index.js with exactly the same contents of "node_modules/next-auth/jwt/index.js", but VSCode can't locate the file in my computer (wat?).

Anyways, the token is taken from the sessionStore, using the cookie named "next-auth.session-token". The value it gets looks like a JWT token, but it's broken.

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..WXHES5gEFTv2fw4b.49QrwGs8hoaN7qGlph8V6y26SRunZgl1Z8Dv1KkCOjG0V1xftcz4ILjgyhegSwA2DDEP0P_2K-iSebsvBW5iu0eWJlSvYtpdV0THOl2O-TyBjAgy3thJLfaJ5TCHzkwyYkavwAZWV19IxLAOxrf38FbVjAgLntAZZKvUECWARza97MIq6BcYWN7IFZ9shG5caWOH_zReyXZWfFBePv_nQynJJ7qgEuPRdhySptlJ45He4ScihUP05w7FRJaEGvD-YlUMqG_ofoUOw63xjAFSG_c8SK8zwsVW8lwroNCq24PasKTrpXV25JoFofWRjw.aqLtQ7T2--4VU6wnbIWMfQ

Therefore the _decode call fails and the jwt becomes null in the middleware.

Interestingly, the call to getToken that actually uses "node_modules" is able to successfully decode the broken token. As far as I know that couldn't be possible, so I'm completely clueless at this point.

Open questions

Main questions are:

• Why do I have a broken jwt stored in a cookie? (maybe next-auth related)
• Why is the middleware using a different getToken than the pages? (probably not next-auth related)
• How is the getToken called from the pages able to decode a broken token?

Any help is greatly appreciated 🙏

How to reproduce ☕️

Not sure how to make a reproduction given the use of multiple env variables and supabase.

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[cguagenti]

@dgrcode did you manage to find a solution for this?

[dgrcode]

you can have a look at #5008.

TL;DR version is that next-auth is not compatible with some versions of nextjs. I downgraded to Next 12.2.2 and it worked. Not sure what's the status of this with later versions of nextjs

[cguagenti]

yeah, I went through that "short" issue lol

I was hoping for some good news from your side, like "oh no no, this is now fixed in the latest version of Next", but could be always worst.

Thanks!

[dgrcode]

haha yep, I don't know about later versions. I imagine this should be working with Next 13, or I'd expect the issues to be flooded with people talking about incompatibility. But I haven't tried myself ¯_(ツ)_/¯