Next-auth: Using getToken in getServerSideProps()

Created on 29 Sep 2020 · 5Comments · Source: nextauthjs/next-auth

Thanks for the great work on next-auth, keep it up :)

I am trying to use jwt.getToken() inside getServerSideProps():

export async function getServerSideProps({ req }) {
  const secret = process.env.SECRET
  const token = await jwt.getToken({ req, secret })

It crashes as follows:

TypeError: Cannot read property 'next-auth.session-token' of undefined
    at Object.<anonymous> (/Users/hornchris/Desktop/dev/next-auth-example/node_modules/next-auth/dist/lib/jwt.js:117:28)

Digging into the code, it's because req.cookies is undefined in my req object.

I got it working by parsing the cookie manually using next-cookies and modifying the req object, then passing this to getToken():

  import cookies from 'next-cookies';
  ...
  export async function getServerSideProps(context) {
     const req = context.req;
     req.cookies = cookies(context);
     const token = await jwt.getToken({ req, secret })
     console.log(token)  // all good here
  ...

It would be nice if the getToken() helper could check for req.headers.cookie and do the parsing for me.

The reason I need access to the jwt token content at this point is because I am inserting some user info using callbacks.jwt inside [...nextauth].js and I need to refer to that information in the server side functions.

Or am I doing something wrong?

enhancement priority question

Source

chrishornmem

👍2

Most helpful comment

I'm not using a custom server. In fact the problem appears in the sample application. Here's a link to my repo which is a modified clone of that one.

https://github.com/chrishornmem/next-auth-example/blob/master/pages/protected-ssr.js

export async function getServerSideProps(context) {
  const session = await getSession(context)

  const req = context.req;

  console.log("typeof req.cookies:"+ typeof req.cookies);  // this is undefined

chrishornmem on 30 Sep 2020

👍2

All 5 comments

Oh, that's odd! Hmm I am fairly sure Next.js adds the cookie parsing to the req for pages as well as API routes, but I could be wrong about that...

Are you using a custom server, like Express, by any chance?

I'm not adverse to us refactoring how cookies are handle to reduce the dependency on the Next.js server helper methods to reduce the instances of issues like this (they are not common, but would mean the library could also be adapted to be used with other frameworks like Nuxt.js too).

iaincollins on 30 Sep 2020

I'm not using a custom server. In fact the problem appears in the sample application. Here's a link to my repo which is a modified clone of that one.

https://github.com/chrishornmem/next-auth-example/blob/master/pages/protected-ssr.js

export async function getServerSideProps(context) {
  const session = await getSession(context)

  const req = context.req;

  console.log("typeof req.cookies:"+ typeof req.cookies);  // this is undefined

chrishornmem on 30 Sep 2020

👍2

Thanks for that, I think req.cookies is indeed not added to pages in Next.js only to API routes (I'm sure I've looked into it a few times before and never remember that).

I think we can safely refactor the code to remove this assumption so that the method can be used from pages too.

I'm going to stick the priority label on this just because it's an easy thing to address and should be able to roll it into the next release.

iaincollins on 1 Oct 2020

Great, thanks a lot

chrishornmem on 1 Oct 2020

Stumbled upon this today - took me a while to figure it out. getSession() is also affected btw.

What i'm trying to do is to have an API route in my NextJS app acting as a proxy, and forwarding requests to my backend API. This allows me to filter the APIs exposed to the public on a per-app basis, which is great.

In short : getServerSideProps() makes a call to pages/api/proxy/[...proxy].js (proxy) which does a call to my backend API and sends back the result. This actually does a redundant api call, but allows me centralize on the server side my logic for calling my backend (and not disclose it to the client).

The best case would be to have getToken() working on the server side. Right now, i'm forced to put the access and refresh tokens in the session, when i could leave them on the server side in the token object, which is find better personally. Doesn't make much difference in terms of security IMHO, but the code is cleaner, as I don't have to send both accessToken and refreshToken from the client to the proxy on each request.

@iaincollins , any update on this ?