Cleanup implementation

bcbogdan · bcbogdan · commit 46f93b19c723 · 2025-02-24T14:11:14.000+02:00
diff --git a/examples/with-next-ssr-app-directory/app/components/home.tsx b/examples/with-next-ssr-app-directory/app/components/home.tsx
@@ -7,13 +7,15 @@ import { CallAPIButton } from "./callApiButton";
 import { LinksComponent } from "./linksComponent";
 import { SessionAuthForNextJS } from "./sessionAuthForNextJS";
 
-import { getSSRSession } from "supertokens-auth-react/nextjs/ssr";
+import { getSSRSession, init } from "supertokens-auth-react/nextjs/ssr";
 import { ssrConfig } from "../config/ssr";
 
+init(ssrConfig());
+
 export async function HomePage() {
     const cookiesStore = await cookies();
     const headersStore = await headers();
-    const session = await getSSRSession(ssrConfig(), headersStore, cookiesStore, redirect);
+    const session = await getSSRSession(cookiesStore, redirect);
     console.log(session);
 
     /**
diff --git a/examples/with-next-ssr-app-directory/middleware.ts b/examples/with-next-ssr-app-directory/middleware.ts
@@ -18,7 +18,7 @@ export async function middleware(request: NextRequest & { session?: SessionConta
         }
 
         if (request.nextUrl.pathname.startsWith("/api/auth/session/refresh") && request.method === "GET") {
-            return refreshSession(ssrConfig(), request, NextResponse);
+            return refreshSession(ssrConfig(), request);
         }
 
         if (request.nextUrl.pathname.startsWith("/api/auth")) {
@@ -46,96 +46,18 @@ export async function middleware(request: NextRequest & { session?: SessionConta
     // https://github.com/vercel/next.js/issues/43704#issuecomment-2090798307
     // TL;DR: You can not access pathname in SSR and requests that originate from redirect()
     // do not have an origin header
-    return NextResponse.next({
-        headers: {
-            "x-current-path": request.nextUrl.pathname,
-        },
+    const response = new Response(null, {
+        status: 200,
     });
+    response.headers.append(
+        "set-cookie",
+        `sCurrentPath=${request.nextUrl.pathname}; Path=/; HttpOnly; SameSite=Strict`
+    );
+    return response;
 }
 
-const refreshTokenCookieName = "sRefreshToken";
-const refreshTokenHeaderName = "st-refresh-token";
-
-// async function refreshSession(request: NextRequest) {
-//     console.log("Attempting session refresh");
-//     const refreshToken =
-//         request.cookies.get(refreshTokenCookieName)?.value || request.headers.get(refreshTokenHeaderName);
-//     if (!refreshToken) {
-//         return NextResponse.redirect(new URL("/auth", request.url));
-//     }
-//
-//     const redirectTo = request.nextUrl.pathname;
-//     console.log(`Should redirect to ${redirectTo}`);
-//     try {
-//         const refreshResponse = await fetch(`http://localhost:3000/api/auth/session/refresh`, {
-//             method: "POST",
-//             headers: {
-//                 "Content-Type": "application/json",
-//                 Cookie: `sRefreshToken=${refreshToken}`,
-//             },
-//             credentials: "include",
-//         });
-//         console.log("Performed session refresh request");
-//
-//         const setCookieHeaders = refreshResponse.headers.getSetCookie();
-//         console.log(refreshResponse);
-//         console.log(refreshResponse.headers);
-//         console.log("Cookies", setCookieHeaders);
-//
-//         if (!setCookieHeaders.length) {
-//             return NextResponse.redirect(new URL("/auth", request.url));
-//         }
-//
-//         const frontToken = refreshResponse.headers.get("front-token");
-//         if (!frontToken) {
-//             return NextResponse.redirect(new URL("/auth", request.url));
-//         }
-//
-//         let sAccessToken: string | null = null;
-//         let sRefreshToken: string | null = null;
-//
-//         const redirectTo = new URL("/", request.url);
-//         const response = NextResponse.redirect(redirectTo);
-//         for (const header of setCookieHeaders) {
-//             if (header.includes("sAccessToken")) {
-//                 const match = header.match(/sAccessToken=([^;]+)/);
-//                 sAccessToken = match ? match[1] : null;
-//             }
-//             if (header.includes("sRefreshToken")) {
-//                 const match = header.match(/sRefreshToken=([^;]+)/);
-//                 sRefreshToken = match ? match[1] : null;
-//             }
-//             response.headers.append("set-cookie", header);
-//         }
-//
-//         response.headers.append("set-cookie", `sFrontToken=${frontToken}`);
-//         response.headers.append("front-token", frontToken);
-//         response.headers.append("frontToken", frontToken);
-//         if (sAccessToken) {
-//             response.headers.append("sAccessToken", sAccessToken);
-//             response.cookies.set("sAccessToken", sAccessToken);
-//         }
-//         if (sRefreshToken) {
-//             response.headers.append("sRefreshToken", sRefreshToken);
-//
-//             response.cookies.set("sRefreshToken", sRefreshToken);
-//         }
-//
-//         response.cookies.set("sFrontToken", frontToken);
-//         return response;
-//     } catch (err) {
-//         console.error("Error refreshing session");
-//         console.error(err);
-//         return NextResponse.redirect(new URL("/auth", request.url));
-//     }
-// }
-
 export const config = {
     matcher: [
         "/((?!_next/static|_next/image|favicon.ico|robots.txt|sitemap.xml|manifest.json|sw.js|workbox-|public/).*)",
     ],
 };
-
-// export const config = {
-//     matcher: "/api/:path*",
-// };
diff --git a/examples/with-next-ssr-pages-directory/config/ssr.ts b/examples/with-next-ssr-pages-directory/config/ssr.ts
@@ -0,0 +1,23 @@
+import { appInfo } from "./appInfo";
+import { useRouter } from "next/navigation";
+import { SuperTokensConfig } from "supertokens-auth-react/lib/build/types";
+import { init } from "supertokens-auth-react/nextjs/middleware";
+
+const routerInfo: { router?: ReturnType<typeof useRouter>; pathName?: string } = {};
+
+export function setRouter(router: ReturnType<typeof useRouter>, pathName: string) {
+    routerInfo.router = router;
+    routerInfo.pathName = pathName;
+}
+
+export const ssrConfig = (): SuperTokensConfig => {
+    return {
+        appInfo,
+        enableDebugLogs: true,
+        recipeList: [],
+    };
+};
+
+export const ensureSuperTokensSSRInit = () => {
+    init(ssrConfig());
+};
diff --git a/examples/with-next-ssr-pages-directory/middleware.ts b/examples/with-next-ssr-pages-directory/middleware.ts
@@ -0,0 +1,30 @@
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { SessionContainer } from "supertokens-node/recipe/session";
+import { ssrConfig } from "./config/ssr";
+import { refreshSession } from "supertokens-auth-react/nextjs/middleware";
+
+export async function middleware(request: NextRequest & { session?: SessionContainer }) {
+    if (request.nextUrl.pathname.startsWith("/api")) {
+        if (request.nextUrl.pathname.startsWith("/api/auth/session/refresh") && request.method === "GET") {
+            return refreshSession(ssrConfig(), request);
+        }
+        return NextResponse.next();
+    }
+    // Save the current path so that we can use it during SSR
+    // Used to redirect the user to the correct path after login/refresh
+    // https://github.com/vercel/next.js/issues/43704#issuecomment-2090798307
+    // TL;DR: You can not access pathname in SSR and requests that originate from redirect()
+    // do not have an origin header
+    return NextResponse.next({
+        headers: {
+            "x-current-path": request.nextUrl.pathname,
+        },
+    });
+}
+
+export const config = {
+    matcher: [
+        "/((?!_next/static|_next/image|favicon.ico|robots.txt|sitemap.xml|manifest.json|sw.js|workbox-|public/).*)",
+    ],
+};
diff --git a/examples/with-next-ssr-pages-directory/pages/index.tsx b/examples/with-next-ssr-pages-directory/pages/index.tsx
@@ -1,13 +1,17 @@
 import React from "react";
 import Head from "next/head";
 import styles from "../styles/ProtectedHome.module.css";
+import type { GetServerSideProps, GetServerSidePropsContext } from "next";
 import SessionReact from "supertokens-auth-react/recipe/session";
 import SuperTokensReact from "supertokens-auth-react";
 import { useSessionContext } from "supertokens-auth-react/recipe/session";
 import { BlogsIcon, CelebrateIcon, GuideIcon, SeparatorLine, SignOutIcon } from "../assets/images";
 import Image from "next/image";
 import { recipeDetails } from "../config/frontendConfig";
 
+import { getSSRSession } from "supertokens-auth-react/nextjs/ssr";
+import { ssrConfig } from "../config/ssr";
+
 interface ILink {
     name: string;
     onClick: () => void;
@@ -89,6 +93,12 @@ function ProtectedPage() {
     );
 }
 
+export const getServerSideProps = (async (context: GetServerSidePropsContext) => {
+    const props = await getSSRSession(ssrConfig(), context.req.headers, context.req.cookies);
+
+    return props;
+}) satisfies GetServerSideProps<>;
+
 export default function Home(props) {
     return (
         <SessionReact.SessionAuth>
diff --git a/lib/ts/nextjs/middleware.ts b/lib/ts/nextjs/middleware.ts
@@ -11,40 +11,83 @@ const REFRESH_TOKEN_HEADER_NAME = "st-refresh-token";
 const ANTI_CSRF_TOKEN_COOKIE_NAME = "sAntiCsrf";
 const ANTI_CSRF_TOKEN_HEADER_NAME = "anti-csrf";
 
+const REDIRECT_ATTEMPT_MAX_COUNT = 5;
+const REDIRECT_PATH_PARAM_NAME = "stRedirectTo";
+const REDIRECT_ATTEMPT_COUNT_COOKIE_NAME = "sSsrSessionRefreshAttempt";
+
 let AppInfo: SuperTokensNextjsConfig["appInfo"];
 
-// export function superTokensMiddleware(config: SuperTokensNextjsConfig, request: NextRequest, response: NextResponse) {
+// export async function superTokensMiddeware(config: SuperTokensNextjsConfig): () => Promise<Response | void> {
 //     AppInfo = config.appInfo;
 //     if (config.enableDebugLogs) {
 //         enableLogging();
 //     }
-//     const url = new URL(request.url);
-//     if (url.pathname === "/auth/session/refresh") {
-//         return refreshSession(request, response);
-//     }
 //
-//     // Save the current path so that we can use it during SSR
-//     // Used to redirect the user to the correct path after login/refresh
-//     return response.next({
-//         headers: {
-//             "x-current-path": url.pathname,
-//         },
-//     });
+//     return (request: Request) => {
+//         const url = new URL(request.url);
+//         if (url.pathname.startsWith("/api")) {
+//             if (request.headers.has("x-user-id")) {
+//                 console.warn(
+//                     "The FE tried to pass x-user-id, which is only supposed to be a backend internal header. Ignoring."
+//                 );
+//                 request.headers.delete("x-user-id");
+//             }
+//
+//             if (url.pathname.startsWith("/api/auth/session/refresh") && request.method === "GET") {
+//                 return refreshSession(ssrConfig(), request);
+//             }
+//
+//             if (url.pathname.startsWith("/api/auth")) {
+//                 // this hits our pages/api/auth/* endpoints
+//                 return;
+//             }
+//
+//             return withSession(request, async (err, session) => {
+//                 if (err) {
+//                     return NextResponse.json(err, { status: 500 });
+//                 }
+//
+//                 if (session === undefined) {
+//                     return NextResponse.next();
+//                 }
+//                 return NextResponse.next({
+//                     headers: {
+//                         "x-user-id": session.getUserId(),
+//                     },
+//                 });
+//             });
+//         }
+//         // Save the current path so that we can use it during SSR
+//         // Used to redirect the user to the correct path after login/refresh
+//         // https://github.com/vercel/next.js/issues/43704#issuecomment-2090798307
+//         // TL;DR: You can not access pathname in SSR and requests that originate from redirect()
+//         // do not have an origin header
+//         const response = NextResponse.next();
+//         response.cookies.set("sCurrentPath", request.nextUrl.pathname);
+//     };
 // }
 
 export async function refreshSession(config: SuperTokensNextjsConfig, request: Request): Promise<Response> {
     AppInfo = config.appInfo;
     if (config.enableDebugLogs) {
         enableLogging();
     }
-    console.log(request);
+
+    // Cancel the refresh cycle if an unforseen state is encountered
+    const redirectAttemptNumber = getRedirectAttemptNumber(request);
+    if (redirectAttemptNumber > REDIRECT_ATTEMPT_MAX_COUNT) {
+        return redirectToAuthPage(request);
+    }
+
     const refreshToken =
         getCookie(request, REFRESH_TOKEN_COOKIE_NAME) || request.headers.get(REFRESH_TOKEN_HEADER_NAME);
     if (!refreshToken) {
         logDebugMessage("Refresh token not found");
         return redirectToAuthPage(request);
     }
 
+    const requestUrl = new URL(request.url);
+    const redirectTo = requestUrl.searchParams.get(REDIRECT_PATH_PARAM_NAME) || "/";
     try {
         const tokens = await fetchNewTokens(refreshToken);
         const hasRequiredCookies = tokens.accessToken.cookie && tokens.refreshToken.cookie && tokens.frontToken.cookie;
@@ -53,35 +96,35 @@ export async function refreshSession(config: SuperTokensNextjsConfig, request: R
             logDebugMessage("Missing tokens from refresh response");
             return redirectToAuthPage(request);
         }
-        const currentUrl = new URL(request.url);
-        const redirectUrl = new URL(currentUrl.searchParams.get("redirectTo") || "/", request.url);
+        const redirectUrl = new URL(redirectTo, request.url);
         const finalResponse = new Response(null, {
             status: 307,
             headers: {
                 Location: redirectUrl.toString(),
-                "x-current-path": redirectUrl.pathname,
-                "x-st-ssr-session-refresh-attempt": "0",
             },
         });
+        finalResponse.headers.append(FRONT_TOKEN_HEADER_NAME, tokens.frontToken.header as string);
         if (hasRequiredCookies) {
-            finalResponse.headers.append(
-                "set-cookie",
-                `${tokens.accessToken.cookie as string},${tokens.refreshToken.cookie as string},${
-                    tokens.frontToken.cookie as string
-                }`
-            );
-            finalResponse.headers.append("x-middleware-set-cookie", tokens.accessToken.cookie as string);
-            finalResponse.headers.append("x-middleware-set-cookie", tokens.refreshToken.cookie as string);
-            finalResponse.headers.append("x-middleware-set-cookie", tokens.frontToken.cookie as string);
+            finalResponse.headers.append("set-cookie", `${tokens.accessToken.cookie as string}`);
+            finalResponse.headers.append("set-cookie", `${tokens.refreshToken.cookie as string}`);
+            finalResponse.headers.append("set-cookie", `${tokens.frontToken.cookie as string}`);
         }
         if (hasRequiredHeaders) {
             finalResponse.headers.append(REFRESH_TOKEN_HEADER_NAME, tokens.refreshToken.header as string);
             finalResponse.headers.append(ACCESS_TOKEN_HEADER_NAME, tokens.accessToken.header as string);
-            finalResponse.headers.append(FRONT_TOKEN_HEADER_NAME, tokens.frontToken.header as string);
-            if (tokens.antiCsrfToken.header) {
-                finalResponse.headers.append(ANTI_CSRF_TOKEN_HEADER_NAME, tokens.antiCsrfToken.header);
-            }
         }
+
+        if (tokens.antiCsrfToken.cookie) {
+            finalResponse.headers.append("set-cookie", `${tokens.antiCsrfToken.cookie as string}`);
+        } else if (tokens.antiCsrfToken.header) {
+            finalResponse.headers.append(ANTI_CSRF_TOKEN_HEADER_NAME, tokens.antiCsrfToken.header);
+        }
+        finalResponse.headers.append(
+            "set-cookie",
+            `${REDIRECT_ATTEMPT_COUNT_COOKIE_NAME}=${
+                redirectAttemptNumber + 1
+            }; Path=/; Max-Age=10; HttpOnly; SameSite=Strict`
+        );
         logDebugMessage("Attached new tokens to response");
         return finalResponse;
     } catch (err) {
@@ -162,3 +205,13 @@ function getCookie(request: Request, name: string) {
         .find((row) => row.startsWith(`${name}=`))
         ?.split("=")[1];
 }
+
+function getRedirectAttemptNumber(request: Request): number {
+    const cookieValue = getCookie(request, REDIRECT_ATTEMPT_COUNT_COOKIE_NAME) || "1";
+
+    try {
+        return parseInt(cookieValue);
+    } catch (err) {
+        return 1;
+    }
+}
diff --git a/lib/ts/nextjs/ssr.ts b/lib/ts/nextjs/ssr.ts
diff --git a/lib/ts/nextjs/types.ts b/lib/ts/nextjs/types.ts
