Thanks for a good post.
I am using NextJS with Zeit Now 2.0 for serverless hosting.
In the NextJS tutorial they use server.js and express to add “Server side support for clean URLs”. However, with Now 2.0 serverless, they seem to recommend using routing within ‘now.json’ for that.
Which is why I have stopped using server.js/express when deploying.
However, your example uses server.js with express. Is there a way to achieve the fully server-side authentication such as you described it without an express server, e.g. by modifying the _document.js page - or similar?
You stated above:
Note, however, that it is not a good idea to let the token leak to the browser. Use it on the backend only and fetch the API from there. That’s why I use
delete user.accessToken.
Is it bad to store the idToken and/or accessToken with cookies?
With that approach, will you be able to fetch from the API from client side getInitialProps? As far as I know, navigating to new pages with the NextJS Router or Link will not call the server side getInitialProps, and I don’t think the access token will be available for API calls then?
If that is the case - how would you solve it?