Middleware help
Unanswered
Checkered Giant posted this in #help-forum
Checkered GiantOP
Hi so I have the following middleware:
import { NextResponse } from "next/server";
import type { NextRequest } from 'next/server'
import { decode } from 'next-auth/jwt';
export default async function middleware(req: NextRequest) {
//console.log(req.cookies.get("next-auth.session-token"));
const sessionToken = req.cookies.get("next-auth.session-token")?.value;
const decoded = await decode({
token: sessionToken,
secret: process.env.NEXTAUTH_SECRET '',
});
if (!decoded) return NextResponse.redirect(process.env.MIDDLEWARE_REDIRECT '');
return NextResponse.next();
}
export const config = {
matcher: ['/dashboard'],
}
is this considered safe? Wouldnt it be remarkably easy to fake a jwe in this case to bypass?
import { NextResponse } from "next/server";
import type { NextRequest } from 'next/server'
import { decode } from 'next-auth/jwt';
export default async function middleware(req: NextRequest) {
//console.log(req.cookies.get("next-auth.session-token"));
const sessionToken = req.cookies.get("next-auth.session-token")?.value;
const decoded = await decode({
token: sessionToken,
secret: process.env.NEXTAUTH_SECRET '',
});
if (!decoded) return NextResponse.redirect(process.env.MIDDLEWARE_REDIRECT '');
return NextResponse.next();
}
export const config = {
matcher: ['/dashboard'],
}
is this considered safe? Wouldnt it be remarkably easy to fake a jwe in this case to bypass?
5 Replies
New Guinea Singing Dog
Yes, because middleware runs on the server it is ok to incliude sensitive data
@!=tgt Why are you not using `next-auth/middleware`?
Checkered GiantOP
I was but couldn't figure out how to redirect with the default middleware that they provide, If i could use the redirect I would do but not sure how?
@New Guinea Singing Dog Yes, because middleware runs on the server it is ok to incliude sensitive data
Checkered GiantOP
but if i sign out and paste in my old cookie it lets me straight through without even signing in, is this normal?