@auth0/nextjs-auth0 calling me prior to login

jinteki · May 24, 2021, 4:08am

@auth0/nextjs-auth0
1.3.1
next 10.2.2

The problem that I am having is that my call to login.js is also automatically calling /api/auth/me. Given that the user has not logged in yet this call to /api/auth/me returns 401 Unauthorised. Which is correct but it seems to me that this call shouldn’t be being made in the first place. I am worried that my setup is not correct.

I was using an earlier version of nextjs-auth0 so I had already created files for login.js, logout.js, callback.js and me.js.

// /pages/api/login.js
import auth0 from '../../utils/auth0'

export default async function login(req, res) {
  try {
    await auth0.handleLogin(req, res, {
      returnTo: '/Dashboard'
    })
  } catch (error) {
    console.error(error);
    res.status(error.status || 500).end(error.message);
  }
}

// /utils/auth0.js
import { initAuth0 } from '@auth0/nextjs-auth0'
import getConfig from 'next/config'
const { serverRuntimeConfig } = getConfig()

export default initAuth0({
  baseURL: serverRuntimeConfig.AUTH0_BASE_URL,
  issuerBaseURL: serverRuntimeConfig.AUTH0_ISSUER_BASE_URL,
  clientID: serverRuntimeConfig.AUTH0_CLIENT_ID,
  clientSecret: serverRuntimeConfig.AUTH0_CLIENT_SECRET,
  secret: serverRuntimeConfig.AUTH0_SESSION_COOKIE_SECRET,
  clockTolerance: 60,
  httpTimeout: 5000,
  authorizationParams: {
    scope: 'openid profile email',
    prompt: 'login'
  },
  routes: {
    callback: '/api/callback',
    postLogoutRedirect: serverRuntimeConfig.AUTH0_POST_LOGOUT_REDIRECT_URI
  },
  session: {
    rollingDuration: 60 * 60 * 24,
    absoluteDuration: 60 * 60 * 24 * 7
  }
})

Upgrading to v1.3.1 meant that I needed to add the following dynamic API route handler:

// /pages/api/auth/[...auth0].js
import auth0 from '../../../utils/auth0'

export default auth0.handleAuth()

that creates the following urls: /api/auth/login , /api/auth/callback , /api/auth/logout and /api/auth/me .

So to reiterate, it all seems to work, except that my call to /api/login (my pre-existing file and not the auto-generated /api/auth/login) also causes a call to /api/auth/me. This call fails with a 401 as the user hasn’t logged in yet - so no me to return. Can I prevent this call to /api/auth/me?

Thanks.

Vinze · September 29, 2021, 11:53pm

Hi,
I have the same issue with the same setup.
Did you found out what was the issue by chance?

konrad.sopala · October 6, 2021, 11:39am

Hey there!

I think the best way to handle that would be to raise it as a GitHub issue in the repo so we can talk about it directly with the repo maintainers. Thank you!

system · October 21, 2021, 11:40am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.