MIddleware should accept custom JWT decode method to correctly read custom-signed JWT

[hinsxd]

Description 📓

next-auth/packages/next-auth/src/next/middleware.ts

Line 84 in 7636de4

const token = await getToken({ req: req as any })

Middleware is calling getToken directly without providing any decode methods. By getToken() uses jwtDecrypt from jose package, and it will probably throws error when the JWT is not signed in the same way. It will throw error when we provide custom JWT encode/decode inside [...nextauth].ts

There should be a way to synchronize / share settings between [...nextauth].ts and _middleware.ts

How to reproduce ☕️

// [...nextauth].ts
import jwt from "jsonwebtoken";
...

  jwt: {
    encode: async ({ secret, token }) => {
      // Do other stuff
      return jwt.sign(token as any, secret, { algorithm: "HS256" });
    },
    decode: async ({ secret, token }) => {
      return jwt.verify(token as string, secret, {
        algorithms: ["HS256"],
      }) as any;
    },
  },

// Any _middleware.ts
export { default } from "next-auth/middleware"

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

Yeah, I think we could add jwt.decode to the Middleware API, and forward it to getToken (the idea is to keep the API the same as NextAuthOptions). 👍 I don't think encode is used anywhere? 🤔

[hinsxd]

Yes I think so. As long as the middleware is only used to read session and protect pages, decode would be enough.

Some extra thoughts:
Is it possible to declare all the settings in next.config.js or a separate config files, so both api routes and middleware can grab the config? Sounds like a better option than asking user to abstract the decode function themselves and put it somewhere. We can have some opinionated file structures

[hinsxd]

@balazsorban44 I have made PR to address this issure. Feel free to have a look, thanks!

[agustif]

Some extra thoughts: Is it possible to declare all the settings in next.config.js or a separate config files, so both api routes and middleware can grab the config? Sounds like a better option than asking user to abstract the decode function themselves and put it somewhere. We can have some opinionated file structures

What I've seen in the codebase is declaring a const that you export in nextauth file itself called authOptions
https://github.com/nextauthjs/next-auth/blob/001354eaa8053427d996d2e7c0b3eba69e0552cb/apps/dev/pages/api/auth/%5B...nextauth%5D.ts
I've copied it myself, maybe that's good enough for now? Adding an auth.config.js in the future might be useful to make it easier from scratch to use appropiate config that can be reused across the codbase or different repos/projects.

[hinsxd]

Agreed. Lets keep everything simple unless a rewrite / breaking change is going to be introduced.