Can getSession pass the context's authorization header to the session fetch?

[BrianHigby]

Question 💬

We are implementing a basic username / password via middleware using this example from the Vercel docs: https://github.com/vercel/examples/blob/main/edge-functions/basic-auth-password/pages/_middleware.ts

The goal is to add a simple user/pass to access the app itself until it fully launches. To clarify we use next-auth within the app itself for its login system using the Credentials Provider.

We've encountered an issue once this middleware is added to the project in which the internal fetch calls being made from next-auth's getSession function do not chain along the current context's authorization header. The middleware now requires this for all requests and when it fetches the session from the /api/auth/session endpoint the middleware doesn't see the expected authorization header and returns a 401 error. This results in a null session being returned by the getSession function.

We were able to fix the issue locally by expanding the options passed to fetch to include the current context's authorization header by adding authorization: req.headers.authorization here on line 320

next-auth/src/client/index.js

Lines 319 to 321 in 78fa333

	const baseUrl = await _apiBaseUrl()
	const options = req ? { headers: { cookie: req.headers.cookie } } : {}
	const res = await fetch(`${baseUrl}/${path}`, options)

We're more than happy to submit a PR for this but as we're new to using next-auth we wanted to propose the change first in case we've overlooked any possible issues this might cause.

How to reproduce ☕️

Add the middleware example found here to a Next.js 12 project:
https://github.com/vercel/examples/blob/main/edge-functions/basic-auth-password/pages/_middleware.ts

Call getSession from getServerSideProps:

export const getServerSideProps: GetServerSideProps = async (context) => {
  const session = await getSession(context)
  // ...

With the middleware added getSession always returns null.

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[balazsorban44]

Middleware support is not there yet, see #3037

[balazsorban44]

I am also working on eliminating the fetch call. Currently, there is this import { getServerSession } from "next-auth" (You will need a v4 beta version), but it is undocumented as it's still in an early stage. See #1535, #2294 for the discussion around it.

[BrianHigby]

@balazsorban44 thanks for the quick response!

We didn't consider it related to #3037 as the issue wasn't dependent on using next-auth from within a middleware. That being said, a new getServerSession that doesn't perform a fetch call solves the issue. Looking forward to v4.