GetToken from middleware in v5

[ezeparziale]

I am testing version 5.
I migrated all the components to the v5 format, but I can't obtain what would be the equivalent of getToken. My original code is as follows:

// middleware.ts
import { NextResponse } from "next/server"
import type { NextFetchEvent, NextRequest } from "next/server"

import { getToken } from "next-auth/jwt"

export default async function middleware(req: NextRequest) {
  const token = await getToken({ req })
  const isAuthenticated = !!token
  
   // ...
}

export const config = {
  matcher: ["/((?!api|_next/static|_next/image|favicon.ico|auth/error).*)"],
}

Using the await auth(req, res) I have problem with the req and res

I am using: next@14.1.0 and next-auth@5.0.0-beta.5

Any ideas?

[zemunkh]

Did you resolve this issue?

[ezeparziale]

No

[manuelatdev]

same problem here

[ezeparziale]

same problem here

I resolved with this:

import { authConfig } from "@/auth.config"
import NextAuth from "next-auth"

export const { auth } = NextAuth(authConfig)

export default auth((req) => {
  const isAuthenticated = !!req.auth

 // code ...
})

export const config = {
  matcher: ["/((?!api|_next/static|_next/image|favicon.ico|auth/error).*)"],
}

Example: https://github.com/ezeparziale/quark/blob/main/src/middleware.ts

[AndreaBarghigiani]

I am still in the process of properly master Auth.js and in my app I work with Drizzle ORM so any database query inside middleware.ts is not an option.

What I found is that if you leverage the jwt and session callback to populate your session token with relevant informations, in my case I need the role and membership of the user to run some logic, you can get that with the getToken function.

The only thing is that you have to provide also a salt to get rid of the TS error.

Reading online I found this to be the solution in order to get and decode the token:

const secret = process.env.AUTH_SECRET as string;
const token = await getToken({
  req,
  secret,
  salt: 'authjs.session-token',
});

To be totally honest I have no clue why we need authjs.session-token as salt, but I found on a different discussion and it worked 😅

[ezeparziale]

With req.auth I can get:

{
  user: {
  email: 'user1@mail.com',
  id: 'b4bd587e-a543-4f66-96d3-b2a6bbda905d',
  active: true
},
  expires: '2024-06-21T21:44:55.851Z'
}

If more fields were added to the token, they will also be included.

[AndreaBarghigiani]

Are you sure? Which strategy do you use?

I use jwt and if I add data to the session via their callbacks I don't get the additional info:

// from middleware.ts
req.auth: {
  user: { name: 'Test', email: 'test@email.com', image: null },
  expires: '2024-06-22T12:57:00.478Z'
}
getToken(): {
  name: 'Test',
  email: 'test@email.com',
  picture: null,
  sub: 'be3ba5d0-202f-45f7-a0e2-d4de7bd5f6e7',
  role: 'user',
  membership: 'free',
  createdAt: '2024-05-09T14:44:39.650Z',
  emailVerified: null,
  credits: 4,
  iat: 1716468950,
  exp: 1719060950,
  jti: '67c37edc-e27a-4a13-8518-2576675d683c'
}

Anyway, glad that it worked for youo

[ezeparziale]

Check if you have added the fields in:

// auth.config.ts
...
async jwt({ token, user }) {
      if (user) {
            token.id = user.id
            token.active = user.active
      }
      return token
    },
async session({ session, user, token }) {
      if (token) {
        session.user.id = token.id
        session.user.active = token.active
      }
      return session
    },

[nahidtopalovic]

For those that can't use the middleware wrapper and want to use getToken in v5, you need to pass secret and secureCookie boolean:

const token = await getToken({
  req,
  secret:  process.env.AUTH_SECRET,
  secureCookie: request.nextUrl.protocol === 'https:'
});

Passing salt param works, but you'll have issues with different environments. For example in dev it will use http protocol and cookie name will be different from the name used for https protocol.