fix(middleware): use includes() for NextAuth pages (#5104)

* fix(middleware): use `includes()` for NextAuth pages Some users could be setting their `signIn` and `error` pages option to `/` to disable the automatically generated pages, as suggested in [1]. This commit reverts the behaviour for matching `signIn` and `error` pages in `handleMiddleware` to pre-v4.10.3. ``` const signInPage = "/" const errorPage = "/" const publicPaths = [signInPage, errorPage, "/_next", "/favicon.ico"] // pathname = "/" will return true publicPaths.some((p) => pathname.startsWith(p)) ``` Fixes: aedabc8 ("fix: avoid redirect on always public paths") Reference [1]: #2330 (reply in thread) Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> * test(middleware): add tests for public paths Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> Signed-off-by: Eng Zer Jun <engzerjun@gmail.com> Co-authored-by: Thang Vu <thvu@hey.com>
nextauthjs · Sep 18, 2022 · 44f2a47 · 44f2a47
1 parent a3b92db
commit 44f2a47
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/packages/next-auth/src/next/middleware.ts b/packages/next-auth/src/next/middleware.ts
@@ -106,12 +106,13 @@ async function handleMiddleware(
   const signInPage = options?.pages?.signIn ?? "/api/auth/signin"
   const errorPage = options?.pages?.error ?? "/api/auth/error"
   const basePath = parseUrl(process.env.NEXTAUTH_URL).path
-  const publicPaths = [signInPage, errorPage, "/_next", "/favicon.ico"]
+  const publicPaths = ["/_next", "/favicon.ico"]
 
   // Avoid infinite redirects/invalid response
   // on paths that never require authentication
   if (
     pathname.startsWith(basePath) ||
+    [signInPage, errorPage].includes(pathname) ||
     publicPaths.some((p) => pathname.startsWith(p))
   ) {
     return

diff --git a/packages/next-auth/tests/middleware.test.ts b/packages/next-auth/tests/middleware.test.ts
@@ -0,0 +1,40 @@
+import { NextMiddleware } from "next/server"
+import { NextAuthMiddlewareOptions, withAuth } from "../next/middleware"
+
+it("should not match pages as public paths", async () => {
+  const options: NextAuthMiddlewareOptions = {
+    pages: {
+      signIn: "/",
+      error: "/"
+    },
+    secret: "secret"
+  }
+
+  const nextUrl: any = {
+    pathname: "/protected/pathA",
+    search: "",
+    origin: "http://127.0.0.1"
+  }
+  const req: any = { nextUrl, headers: { authorization: "" } }
+
+  const handleMiddleware = withAuth(options) as NextMiddleware
+  const res = await handleMiddleware(req, null)
+  expect(res).toBeDefined()
+  expect(res.status).toBe(307)
+})
+
+it("should not redirect on public paths", async () => {
+  const options: NextAuthMiddlewareOptions = {
+    secret: "secret"
+  }
+  const nextUrl: any = {
+    pathname: "/_next/foo",
+    search: "",
+    origin: "http://127.0.0.1"
+  }
+  const req: any = { nextUrl, headers: { authorization: "" } }
+
+  const handleMiddleware = withAuth(options) as NextMiddleware
+  const res = await handleMiddleware(req, null)
+  expect(res).toBeUndefined()
+})