-
Question 💬I'm currently developing an app using Next.js but turns out for different reasons we decided to use 2 Next.js applications and 1 express.js app (1) Full Stack frontend That's the end-user facing app, this has all the regular features a website would have (2) Backend / CMS / API That's a different next.js app intended to be used only by admins, this is also intended to host all the API methods for general CRUD used by the application (1) (3) Express.js app This app will provide yet another API which relies heavily on reading and streaming long files therefore it needs to be hosted separately ( as in: not on Vercel ) but this app also need to have authenticated requests QUESTION I'm wondering how NEXT_AUTH could be used in this regard, for instance, when a end-user logs in on the frontend app for instance using GOOGLE provider how could the frontend then call the API on app (2) and use the same credentials? I would guess in this case we would have to persist the users and share the same MongoDB database for users but i have a feeling it won't be that simple? Any recommendations / suggestions here will be highly appreciated! How to reproduce ☕️frontend on app (1) posting to app (2) Next Jsfrontend request const url = process.env.NEXT_PUBLIC_API_URL + "/stores/add";
axios
.post(url, payload)
.then((response) => {
// do something with result
})server-side methodimport { unstable_getServerSession } from "next-auth/next"
import { authOptions } from "./auth/[...nextauth]"
export default async (req, res) => {
const session = await unstable_getServerSession(req, res, authOptions)
// i guess this session variable won't be populated as the session
// probably we need to send an auth token from app (1) to be validated on app (2) ?
}frontend app (1) posting to app (3) - Express.jsfrontend request // I'm not sure which auth token should be used here?
const authToken = getAuthMagic()
const url = process.env.NEXT_PUBLIC_SECOND_API_URL + "/other/route" + "?auth=" + authToken;
axios
.get(url, payload)
.then((response) => {
setData(response.data);
})imaginary server-side routeexport async function Stream(req: Request, res: Response) {
const auth = req.params.auth
// how do we validate this authToken ?
}Contributing 🙌🏽No, I am afraid I cannot help regarding this |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 4 replies
-
|
The solution i have found is to sign the JWT with an asymmetric key and then share the PUBLIC KEY with the other APIS this way I can verify the information was signed by my server ( jwt issuer which holds the private key ). There is a need to override the encode / decode methods for JWT on From that point I would be able to send the encrypted JWT token to another HTTP API ( via HTTP HEADER ) and verify it on the HTTP API which will only need to know the PUBLIC KEY in order to verify the signature ( the private key never leaves my jwt issuing environment ) thus being able to verify the signature even if offline ( i.e. no extra http requests are needed ). Some related read can be done here: On a side note @balazsorban44's comment explains the expected behaviour from his point of view but unfortunately the implementation is not clear to me, the solution above is the most secure and straight forward i have found so far. Please let me know your thoughts, i'm wondering which other alternative implementations could be used here and if the implementation i'm suggesting has any flaws. |
Beta Was this translation helpful? Give feedback.
-
|
Hey there, i'm also thinking of doing the same thing but i have another question. how do you decrypt the jwt token from the auth server (google) then? so in this case
I have the exact same setup where I want to utilise next-auth and re-use the token to my backend server |
Beta Was this translation helpful? Give feedback.
-
|
i'm not planning on dealing with the google auth token, i'm assuming next-auth does the authentication and return me a valid JWT signed, on the backend i plan to validate the JWT from next-auth and not deal directly with google provider, mainly because i plan to use multiple providers and i don't want to have to deal with multiple providers one by one, hence why i want to use the token generated from next-auth as my source of truth, if that makes sense? |
Beta Was this translation helpful? Give feedback.
-
|
oh yea that make sense. in that case we just have to share key between NextApp and server, so in server endpoint our security is basically that key and validating that that endpoint can only comes from NextApp. I might try to do the same thing and see actually.. thanks for letting me know |
Beta Was this translation helpful? Give feedback.
-
The idea is that if you sign the token with an asymmetric key you will have a PRIVATE KEY to encode the token and a PUBLIC key to validate the encryption ( similar to how cryptocurrencies signature work and so many other things ) The advantage then is that the PRIVATE KEY is able to generate the tokens won't ever leave the server that encrypts the keys, the advantage then is that other servers / entities can validate the signature was done by the PRIVATE KEY just by owning a copy of your PUBLIC KEY. Have a symmetric key would be a problem as you would have to share the same key that encrypts the tokens with other servers/apps which can of course become an extra attack vector / security breach. there is more info here i think: https://auth0.com/blog/rs256-vs-hs256-whats-the-difference/ let me know how you go with this, I'm going to implement this in my app pretty soon, i been away from this project and just came back now. will post updates here as well |
Beta Was this translation helpful? Give feedback.
-
|
Any updates on how to get this? I am also facing this issue, I've added a Fastify server to my application and i would like to reuse the sessions from Next-auth on fastify |
Beta Was this translation helpful? Give feedback.
-
|
i'm also curious how this has worked out for you. i might do something similar myself as well. |
Beta Was this translation helpful? Give feedback.
-
|
This has become Super Relevant now with Neon RLS. |
Beta Was this translation helpful? Give feedback.
The solution i have found is to sign the JWT with an asymmetric key and then share the PUBLIC KEY with the other APIS this way I can verify the information was signed by my server ( jwt issuer which holds the private key ).
There is a need to override the encode / decode methods for JWT on
next-authin order to useRS256instead of the default algorithm.From that point I would be able to send the encrypted JWT token to another HTTP API ( via HTTP HEADER ) and verify it on the HTTP API which will only need to know the PUBLIC KEY in order to verify the signature ( the private key never leaves my jwt issuing environment ) thus being able to verify the signature even if offline ( i.e. no ext…