How to sign out the user from server side (getServerSideProps)

[igpe]

Question 💬

What would be considered proper way to sign out the user from the server side, like from getServerSideProps?
Is it safe to just expire next-auth.session-token cookie (using name that is set under cookies sessionToken options)? I am aware this would not trigger signOut event.

Sending POST request to /api/auth/signout (with csrfToken) does not produce expected result from server side. Id does work fine when called from client.

How to reproduce ☕️

Simple question. No code needed.

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[ThangHuuVu]

We've been receiving some feedback about having signOut on the Backend, but haven't decided yet about the API 🤔
Our best option so far is to have a "signOut" action, similar to our unstable_getServerSession API

next-auth/packages/next-auth/src/next/index.ts

Line 95 in 49a8d51

action: "session",

Prolly we will release it in an experimental fashion in the near future. 🤞

[peppescg]

Hi @ThangHuuVu is there an update on this issue? In my use case I need to signout in case of 401 API response, and I want to handle it on the server rather than client
Actually I am redirecting to a client Logout page and signOut, but this means unneeded redirect and waste of time from a UX perspective

[nelsonmandeladev]

Hello @peppescg, I think there is a work arround on this that has come out with the latest update where you can signIn our signOut on the server side, for that you need to update to version "next-auth": "^5.0.0-beta.16",,

npm install next-auth@beta

Then in your auth-config.ts file you can do this. Note that I'm using the database to persist the session instead if cookies and that why you can see the adapter config here. So you can securly remove it:

import NextAuth from "next-auth"
import { PrismaAdapter } from "@auth/prisma-adapter"
import prisma from "./prisma"
import GoogleProvider from "next-auth/providers/google"
import FacebookProvider from "next-auth/providers/facebook"

export const { handlers, auth, signIn, signOut } = NextAuth({
    adapter: PrismaAdapter(prisma),
    providers: [
        GoogleProvider({
            clientId: process.env.AUTH_GOOGLE_ID,
            clientSecret: process.env.AUTH_GOOGLE_SECRET
        }),
        FacebookProvider({
            clientId: process.env.AUTH_FACEBOOK_ID,
            clientSecret: process.env.AUTH_FACEBOOK_SECRET
        })
    ],
    pages: {
        signIn: "/login"
    }

})

Finaly just call any of the exported methodes in the server rendered code, for the client render code you can keep using the signIn or signOut from next-auth/react, Also don't forget to use with async...await

You can find more here: https://authjs.dev/getting-started/installation?framework=next.js

[peppescg]

@nelsonmandeladev oh that's amazing, thanks for the heads-up 🙏
I will makes a couple of tests with the beta.

[nelsonmandeladev]

@peppescg Your are welcome 🤗

[mardrof]

Hi @ThangHuuVu. Do you have any new informations when signing out from backend side will be possible? :)

[ThangHuuVu]

@mardrof we have an ongoing RFC here: #6246
First step is to test the idea of getting the session first, and then we'll add support for mutation like login and log out gradually

[NikkiMather]

Any update on this? I'm currently using the Credentials provider and managing a users session is very odd, even if you are purposely discouraging us from using user/pass logins. Since NextAuth doesn't respect the maxAge property set in ...[nextauth] and keeps extending the users session, I have to set the 'real' token expiry date when the JWT gets allocated, then check it in the session callback. I was hoping to just use signOut once the date of my own token expiry goes by and even though it does work, it also gives errors about the window object, naturally...

I've spent countless days trying to get this working on an enterprise app and it seems like NextAuth just really doesn't want me using the Credentials provider so much, that you're purposely making it difficult to use. Ugh.

[Khaaz]

I also need server side logout..
In my case I need to fetch a data from my backend and depending the result, it should logout the user.
I want to do that server side as I want to make sure users correctly logout when they should.

I can't really use JWT / Session callbacks are they are called a lot. in my case I really juste want to do the verification once (on every refresh basically)

Any plan for this to actually be a thing? Or potential workarounds?

[wahyunurarizky]

hello, any info for this?, I have same question

[nelsonmandeladev]

Hello @wahyunurarizky, I had the same problem, but in my case, I wanted to log out the user when the backend API JWT token expired as I'm using a single fetch instance I created for the entire project. Also as for the project I opted to use server action for API calls and data fetching but the signout function seems to be a hook meaning it can't be called on the server side, so, to handle this I created a standalone client page log out page and use redirect("/auth/logout"); in my fetch method. the one the log out page is called I then call the the signout in the useEffect hook useEffect(() => { signOut({ redirect: true, callbackUrl: '/auth/login' }); }, []);.

It's a bit weird but for now it solves my problem.

[AlexisKenAlvarez]

Thank you! This works for me

[dekiakbar]

@wahyunurarizky hi, where you put this code ? I have tried in api handler and in middleware but getting error

[wahyunurarizky]

i put in api handler, it should be work either in middleware

[enyelsequeira]

hey @wahyunurarizky does this log you out? and clear the cookies? I have something like this

[mdahiemstra]

Probably a good idea to verify the csrf token here e.g.

  const csrfTokenClient = cookies().get('next-auth.csrf-token');
  const [csrfToken, csrfTokenHash] = csrfTokenClient.value.split('|');

  const expectedCsrfTokenHash = createHash('sha256')
    .update(`${csrfToken}${process.env.NEXTAUTH_SECRET}`)
    .digest('hex');

  if (csrfTokenHash !== expectedCsrfTokenHash) {
    // do stuff
   }

[DevYemi]

Please is there any new update on this ?

[leonimurilo]

Any update on this? Disappointing for such a simple thing to be so inelegant

[habibium]

Man, I am in soo need of this rn.

[jealouscase]

Would be awesome if we could get an update on this 🙏

[mdahiemstra]

Probably a good idea to verify the csrf token here e.g.

const secureCookie = process.env.NEXTAUTH_URL?.startsWith('https://');
const cookiePrefix = secureCookie ? '__Secure-' : '';

const csrfTokenClient = cookies().get(`${secureCookie ? '__Host-' : ''}next-auth.csrf-token`);
const [csrfToken, csrfTokenHash] = csrfTokenClient?.value?.split('|');

const expectedCsrfTokenHash = createHash('sha256')
  .update(`${csrfToken}${process.env.NEXTAUTH_SECRET}`)
  .digest('hex');

if (csrfTokenHash !== expectedCsrfTokenHash) {
  // do stuff
}

Btw, it seems like a bad idea to clear the cookies yourself, but if you do you also need to consider the secureCookie prefix in next-auth:

const cookieNames = [
  `${cookiePrefix}next-auth.session-token`,
  `${cookiePrefix}next-auth.callback-url`,
  `${secureCookie ? '__Host-' : ''}next-auth.csrf-token`,
];

cookieNames.forEach((cookieName) =>
  cookies().set(cookieName, '', {
    expires: new Date(Date.now()),
    secure: secureCookie,
    httpOnly: true,
    sameSite: 'none',
  })
);

[CromulentCoder]

Plus one for the feature. It seems like a much needed feature for anyone using a backend different from their next-auth authentication to be able to logout users from server side on JWT expiry/ invalidation.

[Jared-Dahlke]

plus one for needing to be able to logout user server side. Using latest app dir.

[Jared-Dahlke]

can we just clear all of our cookies to logout?

[ngotrongphuc]

yes you can, but the session on client won't be updated so the UI won't be rerendered

[seiscordas]

I don't understand why it is so hard to do this.
In my mind we only have to do this on server side: "await signOut();"
Why it is not simple like this?

[CRIMSON-CORP]

Im also stuck on this, i even thought it exists, just realizing it doesnt

[CRIMSON-CORP]

Hehe exactly, i do hope the feature gets stable as soon as possible, my only option is to set next auth session expiry a little sooner than when the token expires on the backend

[peppescg]

Hi @nelsonmandeladev, are you able to run the next-auth": "^5.0.0-beta.17" version calling signout on a server action 🤔 ?
Cause I got an error described here based on the fact that seems the cookies are deleted not on a server action, but that's not possible.

[seiscordas]

Hi CRIMSON-CORP!
How did you do this "my only option is to set next auth session expiry a little sooner than when the token expires on the backend"? could you please share de code?

[CRIMSON-CORP]

jwt: { maxAge: 60 * 30, // let it match backend token expiry time },

add this to your next auth options

The user token on our backend expires every one hour, so setting the max age of jwt on next auth to the same one hour logs the user out of the application before they can make any request that would eventually give a 401 and crash my application

[Saran33]

@peppescg same issue, I simply want to call signOut on the server, not some convoluted nonsense of creating a client component specifically to make a call to the server via a server action to call signOut, or call signOut on the client side

[Jared-Dahlke]

Docs or it didn’t happen Sent from [Proton Mail](https://proton.me/mail/home) for iOS

…

On Sun, May 5, 2024 at 3:02 AM, Sonfack Nelson Mandela ***@***.***(mailto:On Sun, May 5, 2024 at 3:02 AM, Sonfack Nelson Mandela <<a href=)> wrote: Hey ***@***.***(https://github.com/CRIMSON-CORP) have you tried the latest version of next-auth now authjs ? It's still in beta but it's now possible to sign out from the server. — Reply to this email directly, [view it on GitHub](#5334 (reply in thread)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AH3JIEUSX25IG3EJ4VHZPM3ZAX7TNAVCNFSM6AAAAAAQKS77CKVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TGMJYHE4DI). You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[OliXVIII]

First step:
Clear browsing data (Clear history, cookies, cache, and ...) - All time

[AmritpalChera]

For me, using the supabase signout method works fine.

I referenced this repository which goes over how to set up supabase auth and also has a logout function that works wonderfully:
[nextjs14-supabase-ssr-authentication]

There should be no need to clear cookies manually. Hope it helps!! :)

[shinnida220]

Just adding this here as it might help someone.

If you use [email protected] and [email protected] server side redirect works like a breeze, no errors at all.

I remembered I used the nextjs dashboard tutorial and it worked, then tried doing the same thing in another nextjs setup and I had a lot of issue. I tried several suggestions above that didn't work until I downgraded the next version from 14.0.3 to 14.02

[skulden13]

Hi there,

I've spent quite a lot of time on this issue. Finally, the mix of server-side and client-side code works for me. First, return an error on the server side. Then, check it inside the client-side component.
I hope it will be helpful for someone else.

// Server-side code: pages/api/auth/[...nextauth].js

import NextAuth from 'next-auth';
import KeycloakProvider from 'next-auth/providers/keycloak';

const ISSUER = '...';
const REALM = '...';

export default async function auth(req, res) {
  async function createProviders() {
    const config = {
      clientId: process.env.CLIENT_ID,
      clientSecret: process.env.CLIENT_SECRET,
      issuer: ISSUER,
      realm: REALM,
    };

    return [KeycloakProvider(config)];
  }

  async function refreshAccessToken(token, issuer) {
    try {
      /// ... attempt to refresh token here
    } catch (error) {
      return {
        ...token,
        // This error will be catched on the client-side
        error: 'REFRESH_TOKEN_ERROR',
      };
    }
  }  

  const providers = await createProviders();
  const authOptions = {
    providers,
    callbacks: {
      async session({ session, token }) {
        // ...
        return session;
      },
      async jwt({ token, user, account }) {
        // Initial sign in
        if (account && user) {
          // ...
          return {
            accessToken: account.access_token,
            accessTokenExpires: account.expires_at * 1000,
            refreshToken: account.refresh_token,
            user,
            realm: REALM,
          };
        }

        // Return previous token if the access token has not expired yet
        if (Date.now() < token.accessTokenExpires) {
          return token;
        }

        // Access token has expired, try to update it
        return refreshAccessToken(token, ISSUER);
      },
    },
    pages: {
      signIn: '/auth/signin',
    },
  };

  return NextAuth(req, res, authOptions);
}



// Client-side code
'use client';
import { useRouter } from 'next/navigation';
import { useSession, signOut } from 'next-auth/react';
import React, { useEffect } from 'react';
import { Page } from '...';

function LoggedIn() {
  const { data } = useSession({ required: true });
  const router = useRouter();

  useEffect(() => {
    // check for error
    if (data?.error === 'REFRESH_TOKEN_ERROR') {
      signOut();
    }
  }, [data, router]);

  if (!data) return null;

  return <Page />;
}

[Saran33]

Based on a combination of the above suggestions as a hackish workaround to sign out the user if the access token has expired, we can set the JWT exp to match the access token exp. This can also be used to set the session.expires in the session callback (which is expected to be an ISO string). In the middleware, we can check if the session is expired and redirect to the login page with some query param to indicate that we should sign the user out. Then, on the custom login page, assuming it includes some client component, we can sign the user out with either signOut from next-auth/react or else a server action to call signOut on the server if using the latest version of v5 as mentioned above.

// auth.config.ts
// ...
    async jwt({ token, user, account, trigger, session }) {
      if (user) {
        const { accessToken, ...userinfo } = user;
        token.accessToken = accessToken;
        token.exp = getTokenExp(accessToken!);
        token.user = userinfo as User;
        // auth.js v5 is not respecting the user.id we are setting in the profile cb result
        // it is being overridden by the Oauth provider id
        token.user.id = userinfo.user_id;
        delete token.user.user_id;
        if (account) {
          token.provider = account?.provider;
        }
        token.scopes = getSecurityScopes(accessToken);
      }
      // ...
      return token;
    },
    async session({ session, token }) {
      const _session: Session = session;
      if (token) {
        if (session) {
          _session.provider = token.provider;
          _session.accessToken = token.accessToken;
          _session.scopes = token.scopes;
          _session.user = token.user;
          _session.error = token.error;
          _session.expires = new Date(token.exp * 1000).toISOString();
        }
      }
      return _session;
    },

// middleware.ts
const auth = NextAuth(authConfig).auth;

export default auth(async req => {
  const pathname = req.nextUrl.pathname;
  console.log('PATH:', pathname);
  const authenticated = !!req.auth;
  const isTokenExpired =
    req.auth?.expires && new Date(req.auth.expires) < new Date();

  // Handle authenticated redirects from auth pages
  if (pathname.startsWith('/login') || pathname.startsWith('/register')) {
    if (authenticated && !isTokenExpired)
      return NextResponse.redirect(new URL(HOME_URL, req.url));
    return NextResponse.next();
  }

  // Handle unauthenticated access
  if (!authenticated) return redirectWithQuery(req, '/login');
  if (isTokenExpired) return redirectWithQuery(req, '/login?signInAgain=true');

  const scopes = req.auth?.scopes ?? [];
  const isAuthorized = scopeValidator.isAuthorized(scopes, pathname);

  // handle authorized redirects from signup page
  if (pathname.startsWith('/signup')) {
    if (isAuthorized) return NextResponse.redirect(new URL(HOME_URL, req.url));
    return NextResponse.next();
  }

  // Check if path requires specific scopes
  if (!isAuthorized) {
    return NextResponse.redirect(new URL('/signup', req.url));
  }

  return NextResponse.next();

// on login page include:
'use client';

import { useSearchParams } from 'next/navigation';
import { signOut } from 'next-auth/react';

// ...

  const searchParams = useSearchParams();
  const signInAgain = searchParams?.get('signInAgain');

  React.useEffect(() => {
    if (signInAgain === 'true') {
      signOut({ redirect: false });
    }
  }, [signInAgain]);

The annoying thing is that we can't simply call signOut as a server action on the server. Personally, I was trying to use a wrapper around auth that does this without needing to use middleware and some useEffect hook in a client component. Something like:

'use server';

import { auth, signIn, signOut } from '@/auth';

export async function getServerAuth() {
  const session = await auth();
  const user = session?.user as UserInfo | undefined;
  const accessToken = session?.accessToken;
  return { session, user, accessToken };
}

export async function getAuth(nextUrl?: string) {
  const { session, user, accessToken } = await getServerAuth();
  if (!session || !user || !accessToken) {
    const redirectUrl = authConfig?.pages?.signIn || '/login';
    const next = nextUrl ? `?next=${nextUrl}` : '';
    redirect(`${redirectUrl}${next}`);
  }
  // here we could check if session.expires is in the past.
  // call `signOut` if it is expired.

  return { session, user, accessToken };
}

[tsykin]

I am yet to write my own solution to this, but I am thinking about adding session.validUntil property od type Date.
Then, in middleware I would compare currentDate and session.validUntil and depending on the result call the signOut()

This solution doesn't involve extra fetch and per-page revalidation. I will write an update here once I am sure that my solution is working.

[tsykin]

I have spent some time working on a solution and came up with 2 solutions.

1. If you need to revalidate session every X seconds/days

In your authOptions, you can choose maxAge for your session. You don’t need any extra setup, user will be logged out automatically when session becomes invalid.

const oneDay = 86400; // 1 day in seconds (60 * 60 * 24)
const sevenDays = 604800; // 1 week in seconds (60 * 60 * 24 * 7)

const authOptions: NextAuthOptions = {
  session: {
    strategy: 'jwt',
    maxAge: sevenDays,
  },
  ... 

This value can be accesses/checked in session callback:

// in authOptions, session callback
async session({ session, token }) {
      console.log(session.expires);
      return session;
    },
 ... 

2. If you want to revalidate user sessions on-demand

The only way you can do this is on a jwt callback level, since it’s responsible for getting user data into session callback.

The way I do it is as follows:

2.1 Create route.ts for fetching user data by user.id (ex. app/api/user/id/[id].route.ts

// /app/api/user/[id]/route.ts
import prisma from '@/lib/db';
import { dictionary } from '@/utils/dictionary';
import { NextResponse } from 'next/server';

export async function GET(
  request: Request,
  { params }: { params: { id: string } }
) {
  try {
    const user = await prisma.user.findUnique({
      where: {
        id: params.id,
      },
    });

    if (!user) {
      console.log('No user found', params.id);
      return NextResponse.json(null);
    }

    return NextResponse.json(user);
  } catch (error) {
    console.log(error);
    NextResponse.json(
      { error: dictionary.general.getRequestError },
      { status: 500 }
    );
  }
}

2.2 create server action that fetch this route handler and cache it using next tag

// /app/lib/user.ts
// This function is used in authOptions
"use server"

export async function getUserById(userId: string): Promise<UserFull | null> {
  console.log('getUserById', userId);
  const response = await fetch(`${env.siteUrl}/api/user/id/${userId}`, {
    next: {
      tags: ['user'],
      revalidate: 604800, // 7 days in seconds (60 * 60 * 24 * 7)
    },
    method: 'GET',
  });

  const data = await response.json();

  if (!response.ok) {
    throw new Error('Failed get product information.');
  }

  return data;
}

2.3 Use created server action in jwt callback

// in authOptions, jwt callback
async jwt({ token, user, trigger, session }) {
  if (token.id) {
    // This is called when user is already logged in (getUserId() is cached)
    // Cache doesn't persist between deployments, meaning user will stay logged in between deployments, but getUserId() will result in data fetch (cache miss)
    const userFull = await getUserById(token.id as string);
    return userFull;
  }
  if (user) {
    // This will only be executed upon signIn()
    const userFull = await getUserById(user.id as string);
    return userFull;
  }
  if (trigger === 'update') {
    // Handle session update
    return { ...token, ...session.user };
  }
  return token;
},

2.4 Add revalidateTag() action

// somewhere in your admin panel
revalidateTag('user');

This way I achieved on-demand user session revalidating without a need to log out users.

For even more enchances caching, I usually add dynamic tag to fetch with userId.

It can look like this:

  const response = await fetch(`${env.siteUrl}/api/user/id/${userId}`, {
    next: {
      tags: ['user', `userId-${userId}`],
      revalidate: 604800, // 7 days in seconds (60 * 60 * 24 * 7)
    },
    method: 'GET',
  });

This way I can choose whether to revalidate cache for all users with revalidateTag('user');, or revalidate cache for only a specific user with revalidateTag('userId-8f98cac8-193c-42fe-9cda-068d73846267');

The only caveat of 2nd method is the fact that nextjs cache doesn’t persist between deployments, meaning auth flow is as follows:

• user is logged in
• new app deployment occurs
• user stays logged in, but when getUserById() is called in jwt the first time, it results in data fetch since no cache is available in new deployment (cache miss)

This is not a big deal, especially considering that the entire rest of the data fetches will also be revalidated, not just user data fetch. I solve that by simply having 2 environments: stage and production. Deploys in prod are less frequent, so I get less cache miss'es.

Hopefully that helped someone

[louisfacun]

Not exactly getServerSideprops, but another way that uses client component that doesn't require a page:

// auth/signout.ts|js
"use client";

import { signOut } from "next-auth/react";
import { useEffect } from "react";

export default function SignOut() {
  useEffect(() => {
    signOut({ redirect: true, callbackUrl: "/" }); # to home
  }, []);

  return null;
}

// some-page.ts|js
export default async function Page() {
  const session = await auth();

  // Some code that can't refresh token
  if (session?.error) {
    return <SignOut />;
  }

  if (!session) {
    return (
      <div>
        <p>Not authenticated</p>
      </div>
    );
  }

[ngotrongphuc]

it's almost the end of 2024 end we still don't have the solution for this. my application rely on this so much.