getServerSession returns null for bearer token in Authorization header, but middleware allows access

[NilSet]

Environment

System:
OS: macOS 13.4.1
CPU: (10) arm64 Apple M1 Max
Memory: 251.70 MB / 32.00 GB
Shell: 5.2.15 - /opt/homebrew/bin/bash
Binaries:
Node: 18.16.1 - ~/.nvm/versions/node/v18.16.1/bin/node
Yarn: 1.22.19 - ~/.nvm/versions/node/v18.16.1/bin/yarn
npm: 9.5.1 - ~/.nvm/versions/node/v18.16.1/bin/npm
pnpm: 8.6.12 - ~/Library/pnpm/pnpm
Browsers:
Chrome: 116.0.5845.187
Safari: 16.5.2
npmPackages:
next: latest => 13.4.19
next-auth: latest => 4.23.1
react: ^18.2.0 => 18.2.0

Reproduction URL

nextauthjs/next-auth-example@8f58996

Describe the issue

The getToken function, and by extension the next-auth middleware, support checking for a bearer token in the Authorization header of the request for a JWT to decode, in addition to checking the configured cookie. getServerSession however only checks the configured cookie for a JWT.

This means that the middleware allows access to pages, but those pages cannot use getServerSession to access the session the request was made in.

How to reproduce

Check out the linked commit from the example (later commits are currently broken). configure a provider, and run the app.

Log in, and get your session JWT from the cooke via dev tools.

In a shell,

TOKEN=paste-the-token-from-dev-tools-here
curl  'http://localhost:3000/me'
# see a redirect to login page as this route is protected by middleware
curl 'http://localhost:3000/me' -H "Authorization: Bearer $TOKEN"
# see the me page when providing a valid jwt in the bearer token
curl 'http://localhost:3000/server' -H "Authorization: Bearer $TOKEN"
# see the null session from getServerSession, {"pageProps":{"session":null},"__N_SSP":true}

Expected behavior

getServerSession should also check the authorization header for a bearer token, like the middleware does for access control.

[balazsorban44]

getServerSession usually assumes that you are making the request from the same app, so it would not really need to check the Authorization header, as cookies should always be attached to the same site requests.

curl 'http://localhost:3000/server' -H "Authorization: Bearer $TOKEN"

This request would never occur in a normal browser session.

This might be a future enhancement after #7443 has landed and if there is still a need.

Since the new version will support Server Actions, there might not be a need to do manual fetch calls to the backend anymore though, and as said, cookies will be always attached anyway.

Moving to ideas.

[heybart]

@balazsorban44 what about API routes? In my NextJS application I defined a few API routes that are supposed to be stateless. And therefore authentication should happen on the Authorization header. Any tips on how to solve this issue?