Edge getSession adds large joi-browser package

nocodehummel commented 10 months ago

Checklist

[X] The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
[X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Description

The Nextjs middleware package contains the joi-browser package when getSession is imported from @auth0/nextjs-auth0/edge. Joi-browser is deprecated and should not be part of the server bundle.

import { NextResponse } from 'next/server';
import { getSession } from '@auth0/nextjs-auth0/edge';

export async function middleware(request: Request) {
  const session = await getSession();
  return NextResponse.next();
}

It has a large impact on the Edge middleware package size.

Reproduction

import { getSession } from '@auth0/nextjs-auth0/edge' in middleware.ts.
call getSession inside the middleware function.
build the application with a bundle analyzer.

Additional context

Reproduced with: https://github.com/nordicgit70/nextjs-app/tree/auth0-joi.

nextjs-auth0 version

3.3.0

Next.js version

14.0.2

Node.js version

18.18.2

adamjmcgrath commented 10 months ago

Thanks for raising this @nordicgit70

Joi-browser is deprecated and should not be part of the server bundle.

Will take a look at upgrading to @hapi/joi@16.0.0

nocodehummel commented 10 months ago

Thanks, it would great if the getSession function could have less impact on the bundle size. VSC Import Cost indicates a very large import.

import { useUser } from '@auth0/nextjs-auth0/client'; 12.3k (gzipped: 2.8k)
import { getSession } from '@auth0/nextjs-auth0'; 481.9k (gzipped: 132.9k)

nocodehummel commented 10 months ago

Closed by mistake.

frederikprijck commented 9 months ago

It looks like joi-browser.min.js is pulled in from joi and is still in there, see https://github.com/hapijs/joi/blob/master/package.json#L8C6-L8C13.

When you say joi-browser, is being deprecated, I assume you refer to the npm package and not the file used in this case, is that correct? In that case, I think having joi-browser.min.js is expected and not deprecated (unless I am missing something?).

I also think we should not migrate to @hapi/joi but stay on joi, see: https://github.com/hapijs/joi/issues/2411

However, we might want to consider moving away from joi altogteher, but that isn't something we can prioritise short term.

nocodehummel commented 9 months ago

Hi, my main issue is with the impact on package size. If that could be resolved would be great. I do not have an opinion on the usage of Joi.

nocodehummel commented 6 months ago

Hi, is it planned to resolve this?

frederikprijck commented 6 months ago

There is currently nothing planned to move away from joi, no.

nocodehummel commented 6 months ago

How can I reduce the package size? The package @auth0/nextjs-auth0/edge is too large to run in Edge (middleware).

simonseddon commented 1 month ago

Any current plans to look at this? A project I work on has recently upgraded from 1.9.2 to 3.5.0 and our bundle size has shot up. We're seeing this in our client-side bundle analyzer report.

auth0 / nextjs-auth0