fix(middleware): allow secret as option in Middleware (#4846)

sean-nicholas · balazsorban44 · web-flow · commit c59a4e04d1a3 · 2022-07-07T14:14:21.000+02:00
* ✨ provide secret via config

* 🐛 make secret optional

* 📝 docs for middleware and env var

* 📝  recommendation at the end of paragraph

Co-authored-by: Balázs Orbán &lt;info@balazsorban.com&gt;
diff --git a/docs/docs/configuration/nextjs.md b/docs/docs/configuration/nextjs.md
@@ -80,10 +80,11 @@ You can get the `withAuth` middleware function from `next-auth/middleware` eithe
 
 ### Prerequisites
 
-You must set the [`NEXTAUTH_SECRET`](/configuration/options#nextauth_secret) environment variable when using this middleware. If you are using the [`secret` option](/configuration/options#secret) this value must match.
+You must set the same secret in the middleware that you use in NextAuth. The easiest way is to set the [`NEXTAUTH_SECRET`](/configuration/options#nextauth_secret) environment variable. It will be picked up by both the [NextAuth config](/configuration/options#options), as well as the middleware config.
 
-**We strongly recommend** replacing the `secret` value completely with this `NEXTAUTH_SECRET` environment variable. This environment variable will be picked up by both the [NextAuth config](/configuration/options#options), as well as the middleware config.
+Alternatively, you can provide the secret using the [`secret`](#secret) option in the middleware config.
 
+**We strongly recommend** replacing the `secret` value completely with this `NEXTAUTH_SECRET` environment variable.
 
 ### Basic usage
 
@@ -149,6 +150,22 @@ See the documentation for the [pages option](/configuration/pages) for more info
 
 ---
 
+### `secret`
+
+- **Required**: _No_
+
+#### Description
+
+The same `secret` used in the [NextAuth config](/configuration/options#options).
+
+#### Example (default value)
+
+```js
+secret: process.env.NEXTAUTH_SECRET
+```
+
+---
+
 ### Advanced usage
 
 NextAuth.js Middleware is very flexible, there are multiple ways to use it.
diff --git a/docs/docs/configuration/options.md b/docs/docs/configuration/options.md
@@ -27,9 +27,8 @@ Using [System Environment Variables](https://vercel.com/docs/concepts/projects/e
 
 ### NEXTAUTH_SECRET
 
-Used to encrypt the NextAuth.js JWT, and to hash [email verification tokens](/adapters/models#verification-token). This is the default value for the [`secret`](/configuration/options#secret) option. The `secret` option might be removed in the future in favor of this.
+Used to encrypt the NextAuth.js JWT, and to hash [email verification tokens](/adapters/models#verification-token). This is the default value for the `secret` option in [NextAuth](/configuration/options#secret) and [Middleware](/configuration/nextjs#secret).
 
-If you are using [Middleware](/configuration/nextjs#prerequisites) this environment variable must be set.
 
 ### NEXTAUTH_URL_INTERNAL
 
diff --git a/packages/next-auth/src/next/middleware.ts b/packages/next-auth/src/next/middleware.ts
@@ -84,6 +84,12 @@ export interface NextAuthMiddlewareOptions {
      */
     authorized?: AuthorizedCallback
   }
+
+  /**
+   * The same `secret` used in the `NextAuth` configuration.
+   * Defaults to the `NEXTAUTH_SECRET` environment variable.
+   */
+  secret?: string
 }
 
 async function handleMiddleware(
@@ -102,7 +108,8 @@ async function handleMiddleware(
     return
   }
 
-  if (!process.env.NEXTAUTH_SECRET) {
+  const secret = options?.secret ?? process.env.NEXTAUTH_SECRET
+  if (!secret) {
     console.error(
       `[next-auth][error][NO_SECRET]`,
       `\nhttps://next-auth.js.org/errors#no_secret`
@@ -118,6 +125,7 @@ async function handleMiddleware(
     req,
     decode: options?.jwt?.decode,
     cookieName: options?.cookies?.sessionToken?.name,
+    secret,
   })
 
   const isAuthorized =
