getToken() returns null in production but works fine in development
Unanswered
Tomistoma posted this in #help-forum
TomistomaOP
I'm working on a Next.js application where I use getToken() (from authjs) to retrieve the user's token. It works perfectly in development, returning the expected token, but in production, it returns null.
Things I've checked:
My environment variables (AUTH_SECRET, AUTH_URL, etc.) are correctly set in both development and production.
The authentication works in development without issues.
Almost everything seems correct, but for some reason, getToken() only fails in production.
Things I've checked:
My environment variables (AUTH_SECRET, AUTH_URL, etc.) are correctly set in both development and production.
The authentication works in development without issues.
Almost everything seems correct, but for some reason, getToken() only fails in production.
12 Replies
Blood cockle
how is it failing? erroring? returning null?
TomistomaOP
Code snippet:
Here’s how I’m using getToken():
import { adminRoute, authRoutes, privateRoutes, publicRoutes } from "@/routes"; import { getToken } from "next-auth/jwt"; import NextAuth from "next-auth"; import authConfig from "./auth.config"; import { NextResponse } from "next/server";
const { auth } = NextAuth(authConfig);
export default auth(async (req) => { const isLoggedIn = !!req.auth; const { pathname } = req.nextUrl; const baseURL = req.nextUrl.origin;
const res = NextResponse.next();
const token = await getToken({ req, secret: process.env.NEXTAUTH_SECRET, });
console.log("Request auth:", req.auth)
const role = token?.role; const isAdmin = role === "admin";
const dashboardUrl = isAdmin ? "/ad/dashboard" : role === "scout" ? "/scout/dashboard" : "/";
const isPrivateRoute = privateRoutes.includes(pathname); const isPublicRoute = publicRoutes.includes(pathname); const isAuthRoute = authRoutes.includes(pathname); const isApiRoute = pathname.startsWith("/api"); const isAdminRoute = pathname.startsWith(adminRoute + "/") pathname === adminRoute;
// API route if (isApiRoute) { return res; }
// Authentication route if (isAuthRoute) { if (isLoggedIn) { return NextResponse.redirect(new URL(dashboardUrl, baseURL)); } return res; }
// Private route if (isPrivateRoute && !isLoggedIn) { return NextResponse.redirect(new URL("/login", baseURL)); }
// Public route if (isPublicRoute) { return res; }
// Admin route if (isAdminRoute) { if (!isAdmin !isLoggedIn) { return NextResponse.redirect(new URL("/unauthorized", baseURL)); } return res; }
// Allow other access return res; });
export const config = { matcher: [ "/((?!_next|[?].(?:html?|css|js(?!on|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).)",) "/(api|trpc)(.*)", ], };
Here’s how I’m using getToken():
import { adminRoute, authRoutes, privateRoutes, publicRoutes } from "@/routes"; import { getToken } from "next-auth/jwt"; import NextAuth from "next-auth"; import authConfig from "./auth.config"; import { NextResponse } from "next/server";
const { auth } = NextAuth(authConfig);
export default auth(async (req) => { const isLoggedIn = !!req.auth; const { pathname } = req.nextUrl; const baseURL = req.nextUrl.origin;
const res = NextResponse.next();
const token = await getToken({ req, secret: process.env.NEXTAUTH_SECRET, });
console.log("Request auth:", req.auth)
const role = token?.role; const isAdmin = role === "admin";
const dashboardUrl = isAdmin ? "/ad/dashboard" : role === "scout" ? "/scout/dashboard" : "/";
const isPrivateRoute = privateRoutes.includes(pathname); const isPublicRoute = publicRoutes.includes(pathname); const isAuthRoute = authRoutes.includes(pathname); const isApiRoute = pathname.startsWith("/api"); const isAdminRoute = pathname.startsWith(adminRoute + "/") pathname === adminRoute;
// API route if (isApiRoute) { return res; }
// Authentication route if (isAuthRoute) { if (isLoggedIn) { return NextResponse.redirect(new URL(dashboardUrl, baseURL)); } return res; }
// Private route if (isPrivateRoute && !isLoggedIn) { return NextResponse.redirect(new URL("/login", baseURL)); }
// Public route if (isPublicRoute) { return res; }
// Admin route if (isAdminRoute) { if (!isAdmin !isLoggedIn) { return NextResponse.redirect(new URL("/unauthorized", baseURL)); } return res; }
// Allow other access return res; });
export const config = { matcher: [ "/((?!_next|[?].(?:html?|css|js(?!on|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).)",) "/(api|trpc)(.*)", ], };
Blood cockle
do you have NEXTAUTH_URL set?
TomistomaOP
Yes
Both on my dev environment and Vercel
Blood cockle
you know how NEXT_PUBLIC variables work?
TomistomaOP
Yes.
Hi Sam, can I DM?
I need help 🙏🏿🙏🏿🙏🏿. What should I further provide?
TomistomaOP
@LuisLl
Are you 100% sure the names are correct, both in your .env locally and the ENV variables with your hosting provider?
You're using
But I'm confused since you said this:
You're using
NEXTAUTH_SECRETconst token = await getToken({ req, secret: process.env.NEXTAUTH_SECRET, });But I'm confused since you said this:
My environment variables (AUTH_SECRET, AUTH_URL, etc.)
TomistomaOP
Hi @LuisLl! Yes, they matched correctly, both local and production. I know there has to be something wrong somewhere, but almost everything I could check is intact.
I'm starting to think it's not meant to work on production, sigh!
I'm starting to think it's not meant to work on production, sigh!