Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MIddleware should accept custom JWT decode method to correctly read custom-signed JWT #4181

Open
hinsxd opened this issue Mar 14, 2022 · 5 comments · May be fixed by #4210
Open

MIddleware should accept custom JWT decode method to correctly read custom-signed JWT #4181

hinsxd opened this issue Mar 14, 2022 · 5 comments · May be fixed by #4210
Labels
enhancement good first issue

Comments

@hinsxd
Copy link

@hinsxd hinsxd commented Mar 14, 2022
edited

Description 📓

next-auth/packages/next-auth/src/next/middleware.ts

Line 84 in 7636de4

const token = await getToken({ req: req as any })

Middleware is calling getToken directly without providing any decode methods. By getToken() uses jwtDecrypt from jose package, and it will probably throws error when the JWT is not signed in the same way. It will throw error when we provide custom JWT encode/decode inside [...nextauth].ts

There should be a way to synchronize / share settings between [...nextauth].ts and _middleware.ts

How to reproduce ☕️

// [...nextauth].ts
import jwt from "jsonwebtoken";
...

  jwt: {
    encode: async ({ secret, token }) => {
      // Do other stuff
      return jwt.sign(token as any, secret, { algorithm: "HS256" });
    },
    decode: async ({ secret, token }) => {
      return jwt.verify(token as string, secret, {
        algorithms: ["HS256"],
      }) as any;
    },
  },
// Any _middleware.ts
export { default } from "next-auth/middleware"

Contributing 🙌🏽

No, I am afraid I cannot help regarding this
@hinsxd hinsxd added enhancement triage labels Mar 14, 2022
@balazsorban44 balazsorban44 added good first issue and removed triage labels Mar 15, 2022
@balazsorban44
Copy link

@balazsorban44 balazsorban44 commented Mar 15, 2022
edited

Yeah, I think we could add jwt.decode to the Middleware API, and forward it to getToken (the idea is to keep the API the same as NextAuthOptions). 👍 I don't think encode is used anywhere? 🤔

@hinsxd
Copy link
Author

@hinsxd hinsxd commented Mar 16, 2022

Yes I think so. As long as the middleware is only used to read session and protect pages, decode would be enough.

Some extra thoughts:
Is it possible to declare all the settings in next.config.js or a separate config files, so both api routes and middleware can grab the config? Sounds like a better option than asking user to abstract the decode function themselves and put it somewhere. We can have some opinionated file structures

@hinsxd hinsxd linked a pull request Mar 17, 2022 that will close this issue
Open
4 tasks
@hinsxd
Copy link
Author

@hinsxd hinsxd commented Mar 17, 2022

@balazsorban44 I have made PR to address this issure. Feel free to have a look, thanks!

@agustif
Copy link

@agustif agustif commented Mar 20, 2022

Some extra thoughts: Is it possible to declare all the settings in next.config.js or a separate config files, so both api routes and middleware can grab the config? Sounds like a better option than asking user to abstract the decode function themselves and put it somewhere. We can have some opinionated file structures

What I've seen in the codebase is declaring a const that you export in nextauth file itself called authOptions
https://github.com/nextauthjs/next-auth/blob/001354eaa8053427d996d2e7c0b3eba69e0552cb/apps/dev/pages/api/auth/%5B...nextauth%5D.ts
I've copied it myself, maybe that's good enough for now? Adding an auth.config.js in the future might be useful to make it easier from scratch to use appropiate config that can be reused across the codbase or different repos/projects.

@hinsxd
Copy link
Author

@hinsxd hinsxd commented Mar 21, 2022

Agreed. Lets keep everything simple unless a rewrite / breaking change is going to be introduced.

@darknoon darknoon mentioned this issue Apr 7, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: custom jwt decode method for middleware hinsxd/next-auth
3 participants
@agustif @hinsxd @balazsorban44