Next.js Discord

Discord Forum

/ route does not go through middleware

Rough Collie posted this in #help-forum
Open in Discord
Rough CollieOP
I am using nextauth withauth middleware, and my static pages don't go through the middleware.
I am deploying using sst.
The effect is that you don't need to be loggedIn to access protected pages.
Any ideas where to look at?
Am i missing something, and in fact you can't have static pages protected?

App Router Next 13.5.4
"next": "^13.5.4",
"next-auth": "^4.24.5",
"sst": "2.36.7",

This is my middleware.

import { withAuth } from 'next-auth/middleware'

 * The whole website is under auth
export default withAuth({
  callbacks: {
    authorized({ req, token }) {
      console.log('🚀 ~ file: middleware.ts:9 ~ authorized ~ token:', token)
      // matcher array will be only requires the user to be logged in
      return !!token
  pages: {
    signIn: '/auth/signin',

export const config = {
  matcher: [

13 Replies

Alfonsus Ardani
what are your static pages?
Rough CollieOP
I don't understand the question.
I am using nextjs 13.5.4, app router
I get this from nextjs on build for them:
â—‹ (Static) automatically rendered as static HTML (uses no initial props)
Rough CollieOP
More information on my reproduction steps:

Fresh deploy, i go for the first time to my
I am redirected to login
I log in. I logout. I remain on page. I am NOT redirected
Refresh. Nothing happens
Alfonsus Ardani
have you tried console.logging insdie your default exports
export default middleware(){

and see if your static pages get run through middleware
Rough CollieOP
'/' goes only the first time, on refresh it does not go through the middleware
same of other pages, if i click on <Link> they don't go through middleware, but if refresh they do ... :/

I am testing this change in my middleware, and until now it seems i get the desired effect, but destroys a cache layer:
export default withAuth( function middleware(req) { const response = response.headers.set('x-middleware-cache', 'no-cache') response.headers.set('cache-control', 'no-cache, no-store, must-revalidate') return response })

I updated next, sst and nextauth to latest version
try add this to the buildComment in your NextjsSite construct "npx open-next@latest build"
Five-striped Sparrow
Facing the same issue. I believe, when you load the site for the first time and user is not logged in, <Link > tries to prefetch the which would point to /login because middleware redirected to /login. It keeps serving the /login page even though user is authenticated. In my case, it works after 5 mins, may be because of some cache timeout setting. Did you manage to fix it? I've opened the issue here as well.
Devon Rex
Facing exactly same issue. Even after session.status is authenticated, my protected page "/dashboard" is not loading and redirected to login page again. But, when I enter /dashboard in address bar, then it loads... Need proper solution.
well, op use sst with open-next which had issue with middleware <= v2.3.1. are you using with sst too?
DirtyCajunRice | AppDir
1. upgrade next
2. upgrade next-auth to 5.
then let us know if you are still having issues.
Devon Rex
You mean next-auth beta? I am working on a production and facing this issue. Is it safe to upgrade to beta releases?