Next.js App Router Authentication (Sessions, Cookies, JWTs)

00:00

Let's talk about authentication in Next.js.

00:02

This is a broad topic, and there's a lot that we could talk about.

00:05

In this video, I'm going to cover showing how to do basic session authentication in

00:10

Next.js without any additional libraries.

00:13

Then, I'll also show some other options you can use too, if you don't want to roll your

00:17

own auth.

00:18

So, let's get into it.

00:19

The code for this video will be in the description, and we've also published new docs for both

00:23

the pages and the app router, so go check those out.

00:26

But what I've done is I've cloned this application locally.

00:29

I've got it up in my editor, and we're just going to talk through some of the bits here.

00:32

First, we have our root layout, which hasn't changed from setting up a hello world Next.js

00:37

app.

00:38

This is just the HTML in the body of our application.

00:40

And then, I have our index route.

00:42

So, I have our page file denoting that route.

00:44

This is a server component, so we've marked it as async, and we're awaiting getting the

00:50

session for our application.

00:51

If there's a user, we're going to print out information about the user here; otherwise,

00:56

we're just going to say it's null.

00:57

Then, we have two different forms here.

00:59

We have one form that allows the user to log in, and it calls the server action.

01:03

It calls this login function and then redirects back.

01:07

And then, we also have the same thing, basically, to log out.

01:10

So, this is just a basic scaffolding of log in, log out.

01:13

There's, of course, a lot more that we can do here, but the real meat of understanding

01:17

the basics of authentication is going to be in the login and logout functions.

01:23

So, we've moved all of this library, everything related to authentication, into this one lib.ts

01:29

file.

01:31

Let's start with login.

01:32

So, the login function that gets called over here, I'll just type in [email protected], hit

01:40

enter to submit our form, and we see this information that is logged out on the right.

01:46

This login function is called; it takes in the form data.

01:50

I can read information from the form, like the email.

01:53

I can put some other additional information here on the user object in your application.

01:57

This is where you would probably talk to a database and look up information about the

02:01

user.

02:02

And once we get that information back, then we get to create our session.

02:07

So, we're going to define when we want it to expire through a new date.

02:12

We're going to make this session object, which is going to be encrypted, and it takes the

02:17

user and the time that it expires, and then we set this as a cookie.

02:22

So, Next.js has this cookies function that allows you to set and delete cookies.

02:27

So, we set this with the name of session, we pass along the session, we say when it

02:33

expires, and critically, we say this is an HTTP-only cookie, so you can only read this

02:38

on the server.

02:39

Now, we skipped over this encryption part, but this is really important.

02:42

So, if we go up to encrypt, you'll see that we're doing a couple of things here.

02:49

This is an asynchronous function.

02:50

It takes in the payload for our JWT, or JSON Web Token, and we're going to call this function

02:58

from this library here, Jose, which is going to allow us to sign the JWT based on the payload

03:08

and the algorithm that we want, when it was issued, when we wanted it to expire at, and

03:13

then the secret key that we're going to use for that encryption.

03:17

Now, here I've just defined it up top.

03:19

In your application, you probably want this to be an environment variable or something

03:23

that people wouldn't have access to, so definitely don't want this value to get exposed.

03:28

So, we take this, this is what's actually going to encrypt that JWT.

03:32

So, let's take a look at what that looks like in my browser.

03:35

I'm going to open up devtools, and I'm going to reload the page.

03:39

There's no session right now because it had expired.

03:42

So, I'll do [email protected], I'll hit log in, and we set this session key here.

03:48

So, let's take this value, this encrypted JWT, and let's pop on over to jwt.io.

03:54

So, I've pasted this in here, and we see on the right, it determines what the algorithm

03:59

was, it shows the payload of the data, and then it says, "Hey, if you want to verify

04:03

the signature, you need to put in that secret bit."

04:06

So, this is just a nice way of being able to kind of visualize that data, just a helpful

04:10

little tip.

04:11

So, the session is stored as a cookie here, and we said it expired in 10 seconds.

04:15

So, when I reload the page, it's expired, that cookie is no longer there; it's done.

04:22

If I log in again, [email protected], and I reload, what you're going to notice is that the value

04:31

of "expires" is getting updated every single time, and you would also see that reflected

04:36

in the decrypted value of the JWT that we're storing.

04:40

So, how is this happening, and why are we doing this?

04:42

Well, if we pop back over to our application code, and we look at the middleware file,

04:47

this file is going to run in front of every request in our application, and it's calling

04:52

this function.

04:53

It's taking in the web request, and it's calling "update session" with that web request.

04:59

So, let's pop back into our authentication file, where we've been kind of building our

05:03

own auth library, and we have updateSession.

05:07

So, it takes in that request, NextRequest is just an extension of the web request, takes

05:13

in that request, it looks at the cookies.

05:16

If there's no session, if there's no session cookie provided, you can just return back;

05:20

otherwise, refresh that session so it doesn't expire.

05:24

So, we decrypt that value from the session, we set a new expiration time, we tell NextResponse

05:32

that we're going to produce a response, a web response from this, and then on that response,

05:37

we set a new cookie.

05:38

Now, the bit that we skipped over here was the decrypt function.

05:43

So, let's go take a look at that.

05:45

Decrypt takes in this input, it uses Jose as well, too, to verify, based on the input,

05:52

based on the key, based on the algorithm that we encrypted it with.

05:56

If this, you know, is legit, we're going to decrypt it and return back the payload.

06:00

So, that happened down here, where we got back the value from decrypt, and then we were

06:05

able to update the cookie.

06:07

To round out our auth implementation, we need to read information about the request.

06:11

So, we talked about this getSession function when we first looked at the page, but what

06:16

exactly was this doing?

06:17

Well, really, it's just reading from the cookies.

06:20

So, we already showed how we were setting the JWT as a cookie for our session; all this

06:25

function is doing is just reading from the cookies, looking for that session value, and

06:29

then decrypting the value.

06:31

So, that's how, inside of here, again, if I go back to the browser, I do example.com,

06:37

this could look at my database or something.

06:39

That's how this getSession function is able to get back information about the session.

06:44

Now, if I click log out with the server action, what's going to happen, if you watch my console

06:50

over on the right side, you see that the cookie was deleted.

06:54

So, it was removed out of my cookies.

06:57

And if we click into the logout function, all this was doing was calling the Next.js

07:03

cookies function, and it was essentially destroying the session.

07:07

So, this file is really all it takes for the most minimal session-based authentication

07:14

inside of a Next.js application.

07:16

You're reading your values inside of your page, you are using a middleware to refresh

07:22

that information, and it, of course, can get way more detailed than this.

07:26

But I think it's helpful to step from just a really basic example, and we can add complexity

07:31

on top from there.

07:32

Now, I want to show what an abstraction on this model looks like.

07:36

So, the basic model I showed is effectively a very light version of NextAuth.js, which

07:42

is a popular community library.

07:45

And I want to walk through another example that uses the same setup but using NextAuth.js.

07:50

So, I've got that example open here on the left, and I've got it running in my browser

07:54

on the right, and we're going to see, you know, a lot of similar things, just one layer

07:59

of abstraction higher.

08:00

So, I have this auth file, auth.ts, it's going to set up some sign-in, sign-out, auth methods,

08:07

and also some route handlers for our application.

08:11

And it's going to say that we're using the GitHub provider for auth.

08:14

Those route handlers are under api/auth/[...nextauth].

08:18

So, this catch-all route that is going to scaffold a bunch of those route handlers for

08:23

us, for the library to use.

08:25

So, we take the GET and the POST from that, you know, central auth setup, and we scaffold

08:32

out these routes.

08:34

And then, back in auth, we don't really have to do anything else to get this working with

08:38

GitHub, but since this is, again, a layer of abstraction higher, this works with a bunch

08:42

of different auth providers.

08:43

It could be GitHub, Google, Discord, really any provider you want to use.

08:48

So, let's go look at the index route in the page.

08:51

So, for our page, we are calling await auth, which is basically similar to getting the

08:57

session.

08:58

This was the value that was exported from our auth file.

09:01

From the session, we get the user and the email, and then we render out this information

09:06

below.

09:07

So, I click sign in with GitHub, I've already configured and authenticated to say, "Yes,

09:11

I authorized GitHub," so it skipped the modal, but I say, "Okay, welcome, my email address

09:16

here."

09:17

I can click sign out, and when I look at these other components, they're very similar.

09:23

They're forms that have a server action.

09:25

They call a signin function or a sign-out function.

09:28

The signin one takes in a string, which is the provider that I'm using, in this instance,

09:33

GitHub, and sign out just, you know, deletes the session, basically.

09:37

So, for example, if I open up the cookies, this is for localhost:3001, running on a different

09:44

port.

09:45

Making this a bit bigger, we can see there were three cookies created.

09:48

There's the session token, which is that encrypted JWT; there's the callback URL, and then there's

09:53

also a csrf token for increased security.

09:56

So, this is all abstracted away for us; we don't need to do anything here.

10:00

Just like in the previous example, there's a middleware, so that the session can be refreshed

10:03

when you reload the page.

10:05

This one also includes a config option, with a regex for what routes we want this to run

10:10

on, so it's not going to run the middleware on static files, or next/image, or on the

10:15

favicon.

10:16

So, that's probably good to also include as well, too.

10:18

It's worth noting that, depending on what time you're watching this video, these changes

10:22

might already be stable.

10:23

I'm using the latest beta version of the NextAuth.js package, that's been totally refactored for

10:28

the app router, to really simplify things.

10:31

So, the code for this is down below, if you want to get started on this version.

10:34

It might already be stable by the time you watch it, though, so just wanted to quickly

10:37

mention that, too.

10:38

The topic of authentication goes super deep.

10:41

There's not only authentication; there's also authorization.

10:44

So, we cover some of this in our new docs.

10:46

We talk a little bit about authorization and protecting server actions, protecting route

10:51

handlers.

10:53

In this video, we talked about cookie-based sessions, but there's also database sessions,

10:57

and, you know, there's really a ton of stuff here.

11:00

We also include a bunch of examples with other popular authentication libraries, whether

11:05

it's using Clerk, Lucia, Auth0, Supabase, or any of these here.

11:10

Worth checking out, if you'd like to see us talk more about authentication.

11:14

Definitely let me know in the comments what you want to see with Next.js and AuthA, or

11:18

AuthZ.

11:19

We can go in more deep context here, but hopefully, this was a good introduction into just a very

11:25

basic cookie-based session example.

11:28

Let me know what you thought.

11:29

Peace!