You should be able to dictate the redirection using withAuth's callbacks--> authorize False. It should not strictly be a redirect to Login

[DaleSalcedo]

Description 📓

At the moment, returning False only redirects to the Login page; there is no other choice on what returning False can do.

I think that's completely limiting the use case of this great Middleware feature. Perhaps you would want to redirect to a page of choice that says "You are not authorized to view this page".

export default withAuth({
  callbacks: {
    authorized: (param) => false,
  },
})

Suggestion. Maybe adding a redirect property to the pages option would suffice:

export default withAuth({
  callbacks: {
    authorized: (param) => false,
  },
  pages: {
    redirect: '/notauthorized',  // this would give the user much more use-cases
  }
})

How to reproduce ☕️

export default withAuth({
  callbacks: {
    authorized: (param) => false,
  },
})

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[AustinBajka]

Agree with this, hopefully this is coming back around. I have our application separate into an /authenticated and /home folder and if the token exists but the permissions the user has does not allow them to view the route they are trying to go to, I would rather send them to a page that states that than all the way back to the login page where they have to be authenticated again.

[bhaden94]

This would be nice. To get this functionality with the current state of next-auth, I use the jwt callback in NextAuth to verify the user is authorized and set a custom role on the token if so. Then, the middleware function in withAuth can check that token role and redirect if the user is not authorized to view the page.

Here is my withAuth:

export default withAuth(
  function middleware(req) {
    if (req.nextauth.token?.role !== 'authorizedUser') {
      // redirect to a not authorized page
      return new NextResponse('not authorized')
    }
  },
  {
    callbacks: {
      authorized: ({ token }) => !!token,
    },
    secret: process.env.NEXTAUTH_SECRET,
  },
)

Here is my NextAuth jwt callback:

callbacks: {
    async jwt({ token }) {
      const isAuthorized = await checkIfAuthorized(token)
      if (isAuthorized) {
        token.role = 'authorizedUser'
      }

      return token
    },
  },

[DaleSalcedo]

thanks for sharing this alternative

[AustinBajka]

Likewise, I appreciate the alternative, I'll look into implementing that.

I have a handful of roles that need to be checked against specific routes but this gives a good basis to start with.