You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Its only condition is that the route begins with "/api". However, that does not take into account things like server actions, which normally just send a POST request to the same URL that the current page is located on. As a result, we get responses to unauthenticated server action calls which are redirects, but since the middleware is attempting to redirect a POST request, the browser ends up sending a POST to the /api/auth/login/, then resulting in a 405 (Method not allowed)
To me the correct behaviour here would be to not redirect and instead respond with 401 any time the incoming request is not a GET.
Reproduction
Set up auth0 middleware around all routes
Create a page that calls a server action
Trigger the action while in an unauthenticated state
Response is 307 with a redirect to the login page, despite it being a POST request
Additional context
No response
nextjs-auth0 version
3.5.0
Next.js version
14.1.4
Node.js version
20.10.0
The text was updated successfully, but these errors were encountered:
Similar problem here, I actually wanna redirect on some route starting with /api I think rather than trying to guess what user wants, maybe some optional config would be nice? eg on paths that match/start with redirect otherwise 401. And also only redirect on GET as mentioned above.
EDIT: Currently we are patching our auth lib this way
const fetchMode = req.headers.get('sec-fetch-mode');
if (!(fetchMode && fetchMode === 'navigate') && (req.method !== 'GET' || pathname.startsWith('/api'))) {
return server_1.NextResponse.json({
error: 'not_authenticated',
description: 'The user does not have an active session or is not authenticated'
}, { status: 401 });
}
return server_1.NextResponse.redirect(new URL(`${login}?returnTo=${encodeURIComponent(returnTo)}`, origin));
Checklist
Description
Currently the SDK middleware contains this logic to determine that it should send a 401 Unauthorized response rather than attempt to redirect to login:
https://github.com/auth0/nextjs-auth0/blob/main/src/helpers/with-middleware-auth-required.ts#L116
Its only condition is that the route begins with "/api". However, that does not take into account things like server actions, which normally just send a POST request to the same URL that the current page is located on. As a result, we get responses to unauthenticated server action calls which are redirects, but since the middleware is attempting to redirect a POST request, the browser ends up sending a POST to the
/api/auth/login/
, then resulting in a 405 (Method not allowed)To me the correct behaviour here would be to not redirect and instead respond with 401 any time the incoming request is not a GET.
Reproduction
Additional context
No response
nextjs-auth0 version
3.5.0
Next.js version
14.1.4
Node.js version
20.10.0
The text was updated successfully, but these errors were encountered: