session middleware?

[bibblebabl]

Hi everyone,

I'm working on a feature to check users' subscription status and expiration date to ensure that only those with an active plan can access the system. I want to prevent access to auth pages if the subscription isn't valid, but I'm unsure about the best approach to implement this.

Storing the expiration date in the JWT doesn't seem secure since it can be manipulated, and making fetch calls in middleware.ts feels like it's not the right place either.

If anyone has experience with this or can suggest a more elegant solution, I'd really appreciate your help!

Thanks in advance.

[VladBo]

Here is more advanced solution: we have 2 types of session (guest and authenticated) #11319 (comment). But in general, you just need to get session from req.auth. It won't make any additional fetch calls. It will just read session cookie.

[bibblebabl]

@VladBo

Thanks for the reply. I looked at your code and really didn't quite see how this is coordinately different from version 4? Anyway, I'll try to explain the problem I'm having:

From what I understand, you’re suggesting storing this information in a token. However, I’d like to ask how you envision verifying the subscription status going forward. For instance, all authenticated pages should only be accessible if the user has an active subscription. There are many internal pages, and if we add a check on each page individually, it would increase the amount of code we need to maintain, violating the DRY principle. Is there a tool or method we can use to perform this check universally for all pages?

Here’s what I’m thinking: we could implement a middleware that checks the subscription’s expiration date from the token. If the subscription has expired, we could redirect the user to a page where a hook updates the subscription information. If the subscription is still active, we would redirect them to the main protected page. Otherwise, we could send them to a page displaying a banner about the expired subscription.

However, I have some concerns about this approach:

1. It doesn’t fully guarantee that the subscription information in the token is up to date.
2. At what point should the expiration date in the token be updated if the subscription status changes? For example, a payment via Stripe could be delayed (due to a webhook), and I don’t think a JWT can be updated in a delayed manner.

[AnastasiiaRoch]

@VladBo
Hi. Is there a way to get user session data in middleware without making an extra call to fetch a user object? In the request.nextauth, we only have limited user info (token, token expiration time), and the rest of the user data is obtained in the next-auth session callback by making an API call.

async session({ session, token }) {
   session.user = await getUserData(token);
   return session;
},

In middleware, we need specific user data to protect routes, which we receive with the getUserData call. Is there a way to obtain a session object in middleware without making this call again? Thanks.