Edge getSession adds large joi-browser package

nocodehummel commented 1 year ago

Checklist

[X] The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
[X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Description

The Nextjs middleware package contains the joi-browser package when getSession is imported from @auth0/nextjs-auth0/edge. Joi-browser is deprecated and should not be part of the server bundle.

import { NextResponse } from 'next/server';
import { getSession } from '@auth0/nextjs-auth0/edge';

export async function middleware(request: Request) {
  const session = await getSession();
  return NextResponse.next();
}

It has a large impact on the Edge middleware package size.

Reproduction

import { getSession } from '@auth0/nextjs-auth0/edge' in middleware.ts.
call getSession inside the middleware function.
build the application with a bundle analyzer.

Additional context

Reproduced with: https://github.com/nordicgit70/nextjs-app/tree/auth0-joi.

nextjs-auth0 version

3.3.0

Next.js version

14.0.2

Node.js version

18.18.2

adamjmcgrath commented 12 months ago

Thanks for raising this @nordicgit70

Joi-browser is deprecated and should not be part of the server bundle.

Will take a look at upgrading to @hapi/joi@16.0.0

nocodehummel commented 12 months ago

Thanks, it would great if the getSession function could have less impact on the bundle size. VSC Import Cost indicates a very large import.

import { useUser } from '@auth0/nextjs-auth0/client'; 12.3k (gzipped: 2.8k)
import { getSession } from '@auth0/nextjs-auth0'; 481.9k (gzipped: 132.9k)

nocodehummel commented 12 months ago

Closed by mistake.

frederikprijck commented 11 months ago

It looks like joi-browser.min.js is pulled in from joi and is still in there, see https://github.com/hapijs/joi/blob/master/package.json#L8C6-L8C13.

When you say joi-browser, is being deprecated, I assume you refer to the npm package and not the file used in this case, is that correct? In that case, I think having joi-browser.min.js is expected and not deprecated (unless I am missing something?).

I also think we should not migrate to @hapi/joi but stay on joi, see: https://github.com/hapijs/joi/issues/2411

However, we might want to consider moving away from joi altogteher, but that isn't something we can prioritise short term.

nocodehummel commented 11 months ago

Hi, my main issue is with the impact on package size. If that could be resolved would be great. I do not have an opinion on the usage of Joi.

nocodehummel commented 8 months ago

Hi, is it planned to resolve this?

frederikprijck commented 8 months ago

There is currently nothing planned to move away from joi, no.

nocodehummel commented 8 months ago

How can I reduce the package size? The package @auth0/nextjs-auth0/edge is too large to run in Edge (middleware).

simonseddon commented 3 months ago

Any current plans to look at this? A project I work on has recently upgraded from 1.9.2 to 3.5.0 and our bundle size has shot up. We're seeing this in our client-side bundle analyzer report.

auth0 / nextjs-auth0