Thank you so much 🙏. I really appreciate your support 💖

@@SakuraDev Big thx

Thank you so much,💖

I wish we could like a video multiple times. I am glad to finally see videos getting many views as they deserve

Thank you so much, I am really glad to hear that

Thanks for your support 🙏. Your words mean a lot to me ❤️

Much appreciated!

Hey Prashant 👋, yes it's a great stack. I try to upload more videos about it

Thank you so much ❤❤

Thanks for your support

Thank you so much. The repo is in the description now.

This is good idea

Yes I will do more of this type

Thanks, that's a good idea

Good Point! It's because we use JWT based auth in the backend side, so we need to send JWTs and user data including the role of the user to the frontend. so we keep these data in session in the frontend. If we had used the session based in the BACKEND side, we wouldn't have needed to setup the session in the NextJS side, but this also raise some problems because every time we need the user data (i.e. role of the user), we would need to call backend APIs to get them. Hope that make sense to you. 💖🖐🏻

Let me check

Yess I have the same issue, I even doubted my code and went ahead and tested the original code project repo, and it gave me the same issue, the refresh-token mechanism is not working. I've tested the API using postman and it worked just fine, so I don't thinks there is something wrong with the backend, I think it has something to do with the cookies() and updateTokens function. Please @SakuraDev if you solved this push it to the github repo Thank you a lot for this awesome tutorial!!!

I am really glad it was helpful for you

Thank you so much 🙏. I'm really happy that you like it. Thanks for your comment

One more thing. It would be great if you give us a public github repo of the developed project in video description. It helps a lot as a reference material. One more time, thanks for the video!

You can read the cookie in the parent SSR component and then pass it to the CSR client component or you can put it in a react context

I will add it in the description

Yes you need to do a migration

Thanks, That's a good idea

The repo is in the description now.

@@SakuraDev The api repo is found on the description kindly assist

on the github repo, the api founder is not opening kindly assist

@@ChibuezeLawsonLoctech Hi, The repo link is replaced with a new one in which I've fixed the issue. now you can access the api dir in the new repo

Thanks 🙏💖

I will come up with a solution

You got this!

I should add a video for that. I will do that

Thank you so much! 🙏 I'm really glad you enjoyed the video. Your support means a lot-more content is on the way! 💻

Thanks 🙏❤️

I will create a video soon that

What is the error message?

@@SakuraDev According to your solution in video it seems working fine (without showing error), But every time when I send request to backend via authFetch() function after accessToken expired, its calling to update-tokens route handler. Because cookie is not modifying at all in route handler.

@vihangasilva7947 yeah, it should call the update-token route handler, because we only can update the cookie inside a route handler or a server action which is called by a client form

I am really glad it was helpful for you

I will create a video for deploying the Monorepo

@@SakuraDev Looking forward for this!

Hi, 👋 . It's done by local strategy under the hood

@@SakuraDev Yeah, my fault. Just was using another env file with a new expiration time, then was not affecting to the test. Thank you so much for your quick reply.🙂

@@franciscojosereyes9310 💖🙏

Thank you so much

To use authFetch in a client component, you need to get the session from the server-side first and then pass it to the client. This ensures secure handling of the session data. I'll be covering this in more detail soon-stay tuned!

Thanks for your comment btw

I should add a video replacing drizzle orm with prisma

@@SakuraDev thank you 🙏

I will do that

You can use the same approach we used in refresh Token invalidation. Or you can use a short lifespan access token.

@@SakuraDev Great, and thank you so much again for your quick reply. Have a great end of weekend and next week. Waiting for the next tutorial 😀

@franciscojosereyes9310 Thanks for your support. I am creating a long tutorial like this one.

@@SakuraDev Great my friend!!! 🙏 Always thank you for your great content and your professionality!

@@franciscojosereyes9310 Thank you so much ❤️🙏

Hi, bearded theme and jetbrains font

We use an API for signout because cookies can only be edited on APIs or server actions called by client components. In this case, since we want to remove the cookie in a server function, we can’t directly remove it there. Instead, the API handles the secure removal of the cookie.

Hey. The repo is in the description now.

I just replaced the repo link. Please use the new repo link in the description.

hey, Thanks for your feedback. The GitHub Repo Link is updated in the repo and the issue is fixed now. check the new link in the description please

Thank you so much

That is a good idea 💡. The next one is about graphql and the next Will be on tRPC

Hi, Thanks for your support, I will upload more projects like this.

@@SakuraDev I saw a comment that the refresh token is not working. How would you resolve this issue? I found a lot of videos about implementing access and refresh tokens but none is resolving this in a context like this where the front is separate from the back. It a core functionalty in this video and it would be nice to see a working implementation. At least in the repo. great work! thx!

@@inakiuy The problem is that the cookie is not accessible in the api route. the solution is to use database session. in the next video I will explain that

You're right! Encrypting tokens is important, but if an attacker gains access to the session, they can still compromise the backend. Storing session in httpOnly and SameSite=Lax helps improve security, but it’s always recommended to combine it with other security measures like proper token validation and secure storage practices. While it reduces risk, nothing is entirely foolproof, so continuous monitoring and securing the entire system are crucial.

@SakuraDev okay i got it. thanks. i have already encrypted session token wit jose library. many thanks for your help 🙏

Use tag instead of for sign out

@@SakuraDev yeah. it worked. Thanks! ❤

@@SakuraDev Hi, helpful video, thank you. I am very curious why for signout we use API instead of server function like SignIn and SignUp? And I'm also curious why in the video it works with next/link, but I (and not only) it only works with ?

@@SakuraDev I have tested this with the SignOu server function and it works fine without refreshing the page, what are the disadvantages of this solution?

Thanks for bringing this up! I actually found this issue myself after uploading the video. For now, the only solution I've found is using session databases. I'm still researching a fix for cookie-based sessions, and once I find it, I'll upload an updated solution. Stay tuned!

@@SakuraDev how about using next-auth, i do for all my projects with next js as frontend. with next auth you can removing controller for google OAuth, next-auth will do it for all of the rest.... in nest js, you just handle token and refresh token. pass them to next-auth, it will do all for all the rest...

@@SakuraDev Authentication Flow Between Next.js (Next-Auth) and NestJS Backend Initial Authentication: User submits login credentials through Next.js frontend Next-Auth forwards these credentials to NestJS backend (including Google Oauth if succeded) Backend validates and generates both access & refresh tokens Tokens are stored in database for history tracking Tokens are returned to Next-Auth Session Management: Nexr-auth will handle it on just client side Token Refresh Mechanism: Next-Auth monitors token expiration When access token expires: Next-Auth sends refresh token to backend Backend validates refresh token against database Backend generates new token pair New tokens are updated in database New tokens are returned to Next-Auth Next-Auth updates its session Logout Process: User initiates logout Next-Auth clears session Backend removes tokens from database All active sessions are invalidated Security Measures: Tokens are stored with expiration timestamps Expired tokens are automatically cleaned from database Each token pair is unique per login session Refresh tokens are single-use Token revocation is possible through database

@@afdhaliapreto7703 It's is a great choice. But if you want to handle OAuth in nestJs, we can't create a session in Next-Auth upon a successful sign in with OAuth in Nestjs. Do you have a solution for that?

Thanks for your feedback 🙏

Glad you find it interesting! Monorepos can be super powerful for managing projects efficiently. Let me know if you’d like to see more content or a deeper dive into this setup!

¡Gracias por tu comentario! Entiendo que el sistema puede parecer extenso. Si prefieres algo más sencillo, podrías probar con Firebase o Supabase, que simplifican mucho la autenticación. Si necesitas una versión más simple o explicación de algo, ¡avísame! 😊

Hey Prashant, I am doing some research for that and then I will create a video about it

I will try to build something with svelte nest js.

The next video is a blog project with this stack. And the next one is going to be an E commerce project

​@@SakuraDev when will you finish your blog project? i really hope you will publish it soon sir

@danhcox It's almost finished. It will be published next week. Thanks for your patience 🙏

just install react snippet extension

I appreciate you taking the time to watch!

I understand your concern about the logic of access and refresh tokens. I'll address this in detail in an upcoming video.

Yeah I faced same problem .please fix it

@@SakuraDev hay que agregar la logica cuando el accesstoken expira

I will include it in the description

The repo is in the description now.

Thank you so much

Yes. I will add it in the next video

The repo is in the description now.

same question, I cant to find the schema file on github :(

Thanks for your feedback. the link of repo is updated and now you can access it. This is the link of the schema file: github.com/vahid-nejad/NestJS-NextJS-Authentication-Turborepo/blob/main/apps/api/prisma/schema.prisma

This is the link of the schema file: github.com/vahid-nejad/NestJS-NextJS-Authentication-Turborepo/blob/main/apps/api/prisma/schema.prisma

Local auth guard is a ware which activates the local strategy

it is recommended by the official documentation.

Thanks 🙏

Thank you so much

Yeah, that's a good idea. i am planning for that

Hi, it's on the repo. Please check the description

Hey, it's in the description

@@SakuraDev Hi. the api folder is a link. No access. Thanks

@@newgenico Thanks for your feedback. The repo link is updated now and I fixed the issue. this is the link to the new repo: github.com/vahid-nejad/NestJS-NextJS-Authentication-Turborepo you can also find it in the description

Thanks for your support ❣️

Hey. Thanks. The repo is in the description now.

Thanks for your feedback. I will do that

Yeah I found that cookie Is not accessible in the API route. The ultimate solution is a database session. although I am searching for a solution with a cookie session and if I find one, I will fix it in the repo and also mention it in the next video. Thanks for bringing that to my attention.

@@SakuraDev I figured out a working solution for my app, I'm using session cookies. Using nextjs middleware I'm updating the session. Its difficult to explain the whole process here.

@@shree_divyansh That's great. Can you share a code example?

@@shree_divyansh can u share the github repo for me

@@DatNguyen-wb8jr Hey I can't share the github repo, working on some business app, can share the few code and logic explanation so that you all can also implement it

Yeah! I should try this

very well explained. W Sakura Dev

@imkir4n Thanks for your support ❤️

@@SakuraDev I successfully implemented this approach, and it worked wonderfully. Honestly, I was searching for a solid pattern to handle authentication without relying on NextAuth or any third-party providers, so we could manage it through our own separate backend.

I am glad it was helpful for you. And I personally prefer this approach

Google authentication is included in this video.