fix(middleware): improve handling of custom Next.js basePath (#5109)

psperber · web-flow · commit 490d59dd1708 · 2022-10-09T11:31:28.000+07:00
* fix(middleware): improve handling of custom nextjs basePath

* fix(middleware): improve extraction of nextjs base path from req.nextUrl

* adapt to req.nextUrl.basePath

* Fix indent

* Add middleware test for custom-base and simplified code a little bit

* Fix indent

* Add another test

* Rename basePath and nextJsBasePath

* Fix lint error
diff --git a/packages/next-auth/src/next/middleware.ts b/packages/next-auth/src/next/middleware.ts
@@ -101,17 +101,17 @@ async function handleMiddleware(
   options: NextAuthMiddlewareOptions | undefined,
   onSuccess?: (token: JWT | null) => Promise<NextMiddlewareResult>
 ) {
-  const { pathname, search, origin } = req.nextUrl
+  const { pathname, search, origin, basePath } = req.nextUrl
 
   const signInPage = options?.pages?.signIn ?? "/api/auth/signin"
   const errorPage = options?.pages?.error ?? "/api/auth/error"
-  const basePath = parseUrl(process.env.NEXTAUTH_URL).path
+  const authPath = parseUrl(process.env.NEXTAUTH_URL).path
   const publicPaths = ["/_next", "/favicon.ico"]
 
   // Avoid infinite redirects/invalid response
   // on paths that never require authentication
   if (
-    pathname.startsWith(basePath) ||
+    `${basePath}${pathname}`.startsWith(authPath) ||
     [signInPage, errorPage].includes(pathname) ||
     publicPaths.some((p) => pathname.startsWith(p))
   ) {
@@ -125,7 +125,7 @@ async function handleMiddleware(
       `\nhttps://next-auth.js.org/errors#no_secret`
     )
 
-    const errorUrl = new URL(errorPage, origin)
+    const errorUrl = new URL(`${basePath}${errorPage}`, origin)
     errorUrl.searchParams.append("error", "Configuration")
 
     return NextResponse.redirect(errorUrl)
@@ -145,8 +145,8 @@ async function handleMiddleware(
   if (isAuthorized) return await onSuccess?.(token)
 
   // the user is not logged in, redirect to the sign-in page
-  const signInUrl = new URL(signInPage, origin)
-  signInUrl.searchParams.append("callbackUrl", `${pathname}${search}`)
+  const signInUrl = new URL(`${basePath}${signInPage}`, origin)
+  signInUrl.searchParams.append("callbackUrl", `${basePath}${pathname}${search}`)
   return NextResponse.redirect(signInUrl)
 }
 
diff --git a/packages/next-auth/tests/middleware.test.ts b/packages/next-auth/tests/middleware.test.ts
@@ -38,3 +38,58 @@ it("should not redirect on public paths", async () => {
   const res = await handleMiddleware(req, null as any)
   expect(res).toBeUndefined()
 })
+
+it("should redirect according to nextUrl basePath", async () => {
+  const options: NextAuthMiddlewareOptions = {
+    secret: "secret"
+  }
+  const nextUrl: any = {
+    pathname: "/protected/pathA",
+    search: "",
+    origin: "http://127.0.0.1",
+    basePath: "/custom-base-path",
+  }
+  const req: any = { nextUrl, headers: { authorization: "" } }
+
+  const handleMiddleware = withAuth(options) as NextMiddleware
+  const res = await handleMiddleware(req, null as any)
+  expect(res).toBeDefined()
+  expect(res.status).toEqual(307)
+  expect(res.headers.get('location')).toContain("http://127.0.0.1/custom-base-path/api/auth/signin?callbackUrl=%2Fcustom-base-path%2Fprotected%2FpathA")
+})
+
+it("should redirect according to nextUrl basePath", async () => {
+  // given
+  const options: NextAuthMiddlewareOptions = {
+    secret: "secret"
+  }
+  const handleMiddleware = withAuth(options) as NextMiddleware
+
+  // when
+  const res = await handleMiddleware({
+    nextUrl: {
+      pathname: "/protected/pathA",
+      search: "",
+      origin: "http://127.0.0.1",
+      basePath: "/custom-base-path"
+    }, headers: { authorization: "" }
+  } as any, null as any)
+
+  // then
+  expect(res).toBeDefined()
+  expect(res.status).toEqual(307)
+  expect(res.headers.get("location")).toContain("http://127.0.0.1/custom-base-path/api/auth/signin?callbackUrl=%2Fcustom-base-path%2Fprotected%2FpathA")
+
+  // and when follow redirect
+  const resFromRedirectedUrl = await handleMiddleware({
+    nextUrl: {
+      pathname: "/api/auth/signin",
+      search: "callbackUrl=%2Fcustom-base-path%2Fprotected%2FpathA",
+      origin: "http://127.0.0.1",
+      basePath: "/custom-base-path"
+    }, headers: { authorization: "" }
+  } as any, null as any)
+
+  // then return sign in page
+  expect(resFromRedirectedUrl).toBeUndefined()
+})
