RFC: discuss value of Next.js middleware

[kmjennison]

Next.js supports middleware, which this library could recommend as a way to integrate with next-firebase-auth. I'd like to gather input on whether middleware provides value that the current API (withAuthUser and withAuthUserTokenSSR) does not.

My initial assessment is that middleware usage could be a good option for apps where auth info is needed on many or all pages and the server-side auth/redirect settings don't change between pages. In this scenario, middleware could provide an AuthUser on the request object in getServerSideProps or redirect as needed.

However:

• Middleware can't currently set return data or set React context; thus, unlike the existing API for SSR pages, AuthUser won't be set on the client side until the Firebase JS SDK initializes.
• Middleware reduces flexibility on whether to use auth info on individual pages.

Feedback and input appreciated!

[aprendendofelipe]

First of all, congratulations on your job well done! I've been using it successfully for over a year. About Next.js middleware, what would be the approach to use since Node.js is not supported? It would not be possible to use the Firebase Admin SDK

Source: https://vercel.com/docs/concepts/functions/edge-functions#unsupported-apis

[kmjennison]

Is that correct? It reads that only native Node.js APIs aren't supported.

From docs:

The Edge Runtime has some restrictions including:

• Native Node.js APIs are not supported. For example, you can't read or write to the filesystem
• Node Modules can be used, as long as they implement ES Modules and do not use any native Node.js APIs

That aside, there's not a clear use case for needing middleware yet. This thread has been quiet.

[aprendendofelipe]

Is that correct? It reads that only native Node.js APIs aren't supported.

The problem seems to be the fs module used by the Firebase Admin SDK

[abusada]

I saw the addition of the recent getUserFromCookies function, I was wondering if it could be used inside the updated nextjs middleware to do basic authentication like this example here.

I see that getUserFromCookies is still using the admin SDK, but only if includeToken is true, wondering if it would make sense to either

• Only require admin SDK if includeToken is passed
• Or to inject verifyIdToken to getUserFromCookies... getUserFromCookies(ctx, verifyIdToken)

this way we can use getUserFromCookies inside middleware + API routes and have them running on the edge runtime

[kmjennison]

@abusada That's a good idea and should be a pretty simple first step.

On top of that, we can probably support the same behavior as withAuthUserSSR if we modify the redirects to use NextResponse and are careful to avoid native Node APIs. We could pass the user in a request header (maybe X-NFA-User?).

[abusada]

yes, that sounds great, I would gladly prepare a pull request with the changes, I'll try to have one ready by the end of the week

[trymbill]

Ended up here when researching the possibility of doing simple JWT verification in an edge middleware and redirecting end-user to /logout if that fails. I don't see a PR linked to this issue, was this change to getUserFromCookies ever implemented?

[kmjennison]

@trymbill Not yet. PR welcome for this!

[ancashoria]

Hey, any news about this? I'd like to call some protected apis from the middleware and I need a token for that.

Thanks

[izakfilmalter]

Would love to get my auth code working on the edge.