Thank you for you comment, I appreciate it. I'm glad you find the content helpful.

Very glad to hear that. Thanks for leaving your feedback.

I'm glad I was able to help. Thank you for leaving a comment, I appreciate it.

I'm so glad to hear that Mahmod! I appreciate your comment.

My pleasure John! I'm glad you found the video helpful. Thanks for tuning in!

Thanks for the sub! Glad it was helpful. Appreciate the comment.

Glad it was helpful! And welcome to the channel :)

Great to hear!

You are welcome! Glad you found the video helpful!

Glad it was helpful!

Glad this was helpful Semaj.

Glad it was helpful!

Appreciate that!

Thank you!

I agree, NextAuth documentation needs some help. Did watching the video help? Is there anything else you'd wish to see?

@@hamedbahram I keep coming back to this video to reference the SessionProvider section. Thanks again! The video is so helpful

@@friendly__drone9352 Glad to hear that!

Glad to hear that! I don't have a role based authentication video yet, but I'll make one soon :)

Hey Jackson, glad you liked the videos, thanks for tuning in!

Yes please it will be great to see everything step by step

@@MrMaraxli Absolutely Tony!

Thanks Sahand!

Glad you found it helpful!

Glad it was helpful! I appreciate your comment.

My pleasure! Glad it helped!

Glad to hear that! Sign in flow is pretty straightforward, you just call the sign in method and pass the ID of the provider you want to use. You can look at my code for the sign in page and see how I've implemented it.

Thanks Tarek, I'm glad you found it helpful.

Glad to hear that!

Thanks Alfredo.

😂 It think that's because of the layout `fill` property and how I'm styling the image.

Glad you find the video useful. The `next-auth` package provides standard built-in pages, but the sign-in page in this example is a custom page I created. You can reference the source code in the `app/signin/page.jsx` to see the component rendering this page.

Your welcome! Thanks for tuning in Luis.

My pleasure! Glad you find the content helpful. As far as using your own backend with NextJs, I have an upcoming video covering that, it's not necessarily migrating from a React app, but more so how you'd go about using your own server when using NextJs. So stay tuned and I think that'll help you.

​@@hamedbahram Thank you so much for the quick and thoughtful response! I'm genuinely excited about your upcoming video on integrating a custom backend with Next.js. Your willingness to address this specific scenario is truly appreciated, and I can't wait to gain insights from your expertise. Your dedication to providing valuable content is evident, and I'll definitely be staying tuned for the release. Keep up the fantastic work!

@@amirmp3715 Absolutely!

Hey! I'm glad you found the channel helpful. That's interesting, do you have the same setup as mine?

Thanks for the feedback Shawn! Will do!

@@hamedbahram Yes, defintely need this video with a middleware how-to

@@KyleMcNally You got it Kyle. Thanks for tuning in.

Thanks for tuning in Irtaza. That can be done with using route groups where you would require auth at the root layout level to effect all the sub-pages. You can also use a middleware, define your protected pages, and intercept the request and redirect if not logged in. That'll be an interesting topic for a future video.

Appreciate your comment.

I think you can use the `useSession` hook directly. An alternative is to use the middleware option where you can define what pages would be protected pages, so you don't have to use the `useSession` hook or the `getServerSession` on each page.

You're welcome!

Glad to hear that!

You can use the `getServerSession` function to check if the user is authenticated from inside your route handlers (API routes) - which eliminates the need to pass any tokens from the client-side to your endpoint. Does this answer your question? or am I missing something?

@hamedbahram thanks a lot for the reply! :) if I have an external backend (let's say in django) that requires me to pass a token in the url's headers, I would still need to pass the token. And I wouldn't know how to do that with next 13. :/

@@samuelliotta9437 If you're using the fetch API to hit your external backend, then you can pass tokens to your request headers. Does that answer you question or am I missing something?

Yes and no. The point is, where would I store the token to pass to the requests headers? The local storage is not available, some state manager would also not do, because the token needs to be available server side. I assume I'd have to set the token as a cookie upon successful login and that would make it available on the server (and I could set it through next's Middleware for those specific routes that need it). Does that make sense? Ps. I really appreciate your help! ;)

Ok now I see what the problem is. Depending on the authentication flow you're using, you can store the access token in your session database in the backend, retrieve the sessionId from the cookies on the request, lookup the session and retrieve the access token from your session database. As you mentioned it would involve using cookies to pass references to the server, that said, It wouldn't be safe to store the access token itself as a cookie.

You can check the session on the `/signin` page and should them a `SignOut` form or redirect them to home page.

Thanks for tuning in Amer.

@@hamedbahram but im getting this error decryption operation failed { message: 'decryption operation failed', stack: 'JWEDecryptionFailed: decryption operation failed ' + ' at gcmDecrypt (webpack-internal:///(sc_server)/./node_modules/jose/dist/node/esm/runtime/decrypt.js:81:15) ' + ' at decrypt (webpack-internal:///(sc_server)/./node_modules/jose/dist/node/esm/runtime/decrypt.js:104:20) ' + ' at flattenedDecrypt (webpack-internal:///(sc_server)/./node_modules/jose/dist/node/esm/jwe/flattened/decrypt.js:127:90) ' + ' at async compactDecrypt (webpack-internal:///(sc_server)/./node_modules/jose/dist/node/esm/jwe/compact/decrypt.js:22:23) ' + ' at async jwtDecrypt (webpack-internal:///(sc_server)/./node_modules/jose/dist/node/esm/jwt/decrypt.js:12:23) ' + ' at async Object.decode (webpack-internal:///(sc_server)/./node_modules/next-auth/jwt/index.js:44:26) ' + ' at async Object.session (webpack-internal:///(sc_server)/./node_modules/next-auth/core/routes/session.js:25:34) ' + ' at async AuthHandler (webpack-internal:///(sc_server)/./node_modules/next-auth/core/index.js:161:37) ' + ' at async getServerSession (webpack-internal:///(sc_server)/./node_modules/next-auth/next/index.js:129:21) ' + ' at async ServerProtectedPage (webpack-internal:///(sc_server)/./app/protected/server/page.tsx:16:21)', name: 'JWEDecryptionFailed' }

to solve that Add a secret key in the NextAuth configuration file. You can generate a random secret key using OpenSSL or another tool export const authOptions: NextAuthOptions = { ⚠⚠ secret: process.env.SECRET_KEY , providers: [ GoogleProvider({ clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET!, }), ], pages: { signIn: "/sign-in", }, };

Glad I could help!

This happens when you're protecting a page on the client side using the `useSession` hook. To avoid this, you must either change the page to a server page and use `getServerSession` to check the session or use middleware to protect your page. You can watch this video where I show how to use middleware: kzbin.info/www/bejne/iXe0qKelZdepptU

Glad you like it! I can give you student discount if it helps? send me an email.

You're welcome man. Sure I'll have that in mind. Thanks for tuning in.

You can use the `encode` and `decode` function in next-auth to create your own tokens. You can read more about it here => next-auth.js.org/configuration/options#override-jwt-encode-and-decode-methods

Thanks for the feedback Nikhil, and I'm glad you found the video useful.

Welcome to the channel Aritra. Font is operator mono.

@@hamedbahram Thanks

A client component will be pre-rendered on the server to generate the html but when it reaches the browser you can protect it with the `useSession` hook. If you want to authenticate on the server you should use a server component and use the `getServerSession` hook. Or you can eliminate all that and use a middleware to check the session before the response is sent to the browser. Does this answer your question?

@@hamedbahram hey thanks for the response, Middleware is a good option, but I want to show an error page if the user is not authenticated and accesses the protected route, I don't see any way to modify the sign in url and redirect manually to error page

@@infinite4evr Is this from a client component or a server component?

What do you mean by fetch data internally from the website?

@@hamedbahram sorry, I mean to say, how to fetch data from the protected api routes in backend/page/server component using `fetch`? I did like let res = await fetch("https:/mywebsite/api/users", {...}) let users = await res.json() return users but it gives me errors. Upon debugging (just a console.log), I found that `session` variable is null, so it's returning "SESSION NOT FOUND" error message from the api. Also there's no Cookie, I checked `req.cookies()`. How to fix?

Thanks!

When initializing NextAuth you can set `maxAge` on the `session` object which is the session expiry time in seconds. This works in the `pages` router; However, currently in server components we only have read access to cookies and the `expires` time defaults to 30 days.

yes , it is server component ,can 't set it ? @@hamedbahram

From where are you sending the fetch request? Is it from a client component?

​@@hamedbahram It's a server component, though I have tried as a client component as well - in both instances it returns the error message from the !session if check, however going directly to that api endpoint in the browser returns my email address. I don't know whether it's a technical issue I am having or whether I have just got the flow wrong, but I was thinking that because I am logged in and because I have a session cookie (which I guess is why it works by going directly to the endpoint in the browser) that it should work when doing a fetch, but no matter what way I seem to use it - I always get no session if I don't visit the api endpoint in the browser.

I'm not sure about your implementation on the client-side and what's causing the error. However, on the server-side, you don't need to call your API, you're already on the server, just do whatever it is you're doing in your API directly in your server component.

No it won't. You can pass server components as props or children to client components without effecting the server-client boundary.

@@hamedbahram This is the layout file: {children} Footer Now Header is in the client based component because of next auth using context api. The header contains an api call for the menu data. Now the api request shows up in the network tab. If I remove the session provider wrapper then it does not show up in the network tab. I also have a products listing page but that seems to work fine. its not showing the api call for the products page in the network tab.

Good question. No it does not. If you pass server components as children to client components, it doesn't turn them into client components. However if you import a server component into a client component, it will be considered a client component, and will potentially break your code if it is async.

Thanks.

You can use the `jwt` callback together with the `session` callback to add more data to the session object. Read more about it here => next-auth.js.org/configuration/callbacks#jwt-callback

@@hamedbahram Thank you! I was already doing that but I realized the error was in the next-auth config itself! Comparing my config to yours and the docs fixed my problem. I really appreciate your answer!

@@zabialy2919 My pleasure!

You may still need the CallbacKURL though

Thanks for the feedback. The redirect does not fail. It redirects but it doesn't set the search params correctly.

Sorry man just saw that 😂

Providing the `session` prop to the `SessionProvider` helps to avoid fetching the session twice if we've already fetched it before. If you want to you can fetch the session in your root layout and pass it to the `Provider` component and from there to the `SessionProvider` component.

@@hamedbahram great I thought the same to use getserversession in rootlayout and pass it to the session provider ! Is there any reason you didn’t use it in your video ?

@@hamedbahram also if we don’t pass session to the provider then how useSession hook is able to get it, and does client and server sessions differ, can you plz clear my silly doubts 🥹

@@ayushjain7023 It wouldn't have made any difference in my case since I'm not fetching the session anywhere else.

What error are you getting?

Uhmm 🤔, I'll look into it, in the mean time, try exporting your auth options from a different file like `_options.js` and import in the `[...nextauth]/route.js` file and let me know if that solved the problem.

@@hamedbahram wow, that resolved the issue!! Thanks so much!

@@cirdamih Awesome! glad hear that.

@@hamedbahram I had a similar issue but I was getting this different error: "Property 'authOptions' is incompatible with index signature. Type 'AuthOptions' is not assignable to type 'never'." Your solution worked. But, I wonder why that happens? It's like it doesn't accept any other code than a "handler" variable being exported 🤔

That's right, it treats exports from `route.ts` as handlers.

Thanks! you can do the lookup inside the `jwt` callback. If this should only happen once for new users, you can check the `isNewUser` argument passed to the `jwt` callback. See here for more: next-auth.js.org/configuration/callbacks#jwt-callback

@@hamedbahram Thank you so much for the response let me try it that way.

@@SSango-hk9sm Anytime!

@@hamedbahram So I looked into the `jwt` callback and all the data that is returned. And also I was able to run db queries. but what's left now is to be able to redirect from that callback. Is it possible? Something like this: async jwt({ token, user, account, profile, isNewUser }) { //get user details and perform db query. //Redirect user to different pages depending on the query results } I have tried to redirect using the NextResponse.redirect() but I get the `Invalid URL` error.

@@SSango-hk9sm Try the `redirect` function from `next/navigation` and pass the URL. import { redirect } from 'next/navigation'; ... redirect(`/path`) ... You should be able to also use the `NextResonse` in the following format: import { NextResponse } from 'next/server' ... const destination = new URL('/new'', request.url) return NextResponse.redirect(destination) ...

Thanks for tuning in!

Thanks Aurelien, yes you can use next-auth with `.js` files, and you can most definitely use them in the `pages` directory. see this video I have on the channel: kzbin.info/www/bejne/d3qcm3iul5qXeqM

My pleasure!

You need to set a `callbackUrl` when you're redirecting to the sign-in page, some like `/sign-in?callbackUrl=/the-path-to-redirect`

Thanks for the feedback Karim. That's right you can fetch the session server-side and provide it to the session context provider to avoid fetching it on the client-side.

You got it, should be pretty straight forward.

Different ways to do it: 1. Use a server component to wrap your client component, and fetch the data and pass it to your client component. 2. Move the `useState` hook further down to the actual end component that needs it, therefore you can turn your original client component into a server component.

Check your `NEXTAUTH_URL` env variable and the callback URL you set when creating your Google credentials. Here is some resources to the docs: next-auth.js.org/configuration/options#nextauth_url

Good question! Passing server components as children to client components (like this example) won't make them client components. Only when you import server components inside a client component it will turn everything into a client component. Does that make sense?

😂

Hey! you can definitely use a server rendered component, I used a client side component to be able to add user interaction like clicking the avatar.

Not sure if I understand your question correctly. Did you want to add `username` and `role` to JWT token? If yes you can use the `jwt` callback to customize the token and `session` callback to pass that to the browser. You can read more on it here: next-auth.js.org/configuration/callbacks#jwt-callback. If you meant that you want to override the JWT encoding and decoding methods, you can do so by passing `jwt` option to your `next-auth` config as follows: next-auth.js.org/configuration/options#override-jwt-encode-and-decode-methods. Does this answer your question?

You can't use the `getServerSession` client side since it required access to the `req` object. You can only use it on the server. You can use the `useSession` hook on the client-side to hook into the session provided by the React context.

There is currently not an easy way to get the current `path` in your server components. The only other way to protect a server-rendered path would be to use a middleware. See this video: kzbin.info/www/bejne/iXe0qKelZdepptU

@@hamedbahram Thanks for your reply. I was able to code it. Pasting here for other's reference. import { headers } from "next/headers"; import { redirect } from "next/navigation"; if (!session) { const headersList = headers(); const currentPathName = headersList.get("x-invoke-path") || ""; currentPathName ? redirect("/login?callbackUrl=" + currentPathName) : redirect("/login"); }

@@hamedbahram I had one more question. Is headless UI or mantine supported with app directory for SSR pages?

Sweet! Just keep in mind that `headers()` is a dynamic function and using it in a layout or page will opt the route into dynamic rendering at request time. As far as the UI libraries, you might need to wrap them in your own client components with the `use client` directive to work. I don't know of any that supports the App router yet, and since most of the use hooks and context, you won't be able to directly use them in server components.

That's good question! I'm actually working on a video about creating a proxy on top of your backend API for rate limiting and authentication. So stay tuned.

@@hamedbahram your the best!

I've explained that thoroughly in the video. If it's a server component you can use the `getServerSession` function, and if it's in a client components you can use `useSession` hook to check the session.

@@hamedbahram That's cool. But the challenge is a flash of the login screen before the redirection happens to the home page. Was wondering if there's a better alternative

You can use a middleware to intercept the request, authenticate, and redirect if not logged in. Watch this video: kzbin.info/www/bejne/iXe0qKelZdepptU

Salam Erfan Jan, The session token is stored as HttpOnly cookie by default.

@@hamedbahram i asked this question because i see token cookie in application tab and with remove that, user logouting. i thought that we not access httpOnly cookie in client

@@erfansormi4605 HttpOnly means that they cannot access the cookie from JavaScript code. Users can always go to the application tab in their developer tools and see all the cookies.

@@hamedbahram thank you very much🙏🏼

You're welcome.

Can you expand on what you mean by identity server?

@@hamedbahram next-auth/providers/duende-identity-server6

I'm glad to hear that! You definitely need to set the `NEXTAUTH_SECRET`. It is used to encode your Jason Web Token. And you need to set it to a strong, long, random string.

@@hamedbahram Thank you very much for the information, would you know which environment variables are mandatory?

@@gustavoseabra7495 you're welcome. The NEXTAUTH_URL and the NEXTAUTH_SECRET are required, and obviously your credentials for any providers you want to add the NextAuth.

good evening hamed sorry to ask again. on localhost my sign in and signout function redirect correctly. however, in production they are trying to take the %27https route, do you know what it could be?

@@gustavoseabra7495 what do you mean by taking the HTTPS route?

Trying to understand the question here, what do you mean by instead of JWT?

​@@hamedbahram JWT means JSON Web Tokens. I had watched some tutorials that used this approach to protect API. It was complex for me so I'm finding some easier ways.

​@@HaHoang-qk6ti I know what JWT is but didn't understand what you're trying to do with it. Generally speaking, with next-auth you can use JWT to authenticate users instead of database sessions. You can also define different roles for your users and limit the access to some pages, only if they are "admin" users. Let me know if this answers your question.

@@hamedbahram Sorry for my bad explanation. You're right, I did want to define different roles for users and limit the access to some pages. I want to do it in the simplest way - only use next-auth (I don't want to combine with JWT). Is it possible and good enough?

@@HaHoang-qk6ti Yes you can do that completely with next-auth. Just so you know next-auth also has JWT sessions, where instead of a database you store user data in Json web tokens. I have a video on the channel where I review all these options in next-auth. You can watch it here and let me know if you have any questions: kzbin.info/www/bejne/d3qcm3iul5qXeqM

Hi Juan! Interesting use case, I'll have that in mind for future videos.

Anytime!

Thanks for your feedback Alex. The login page is pretty straight forward if you look at the source code (link in the description) I'm using the `signin` function from `next-auth` to start the Google signin flow. You can watch this video where I dive deeper into next-auth: kzbin.info/www/bejne/d3qcm3iul5qXeqM Also if you use the token strategy, next-auth would handle your JWT token for you. You can access / modify your token inside `jwt` callback. You can read about it here: next-auth.js.org/configuration/callbacks#jwt-callback

Make sure you've created your Google OAuth correctly, you can read more here: next-auth.js.org/providers/google You can also compare your code to mine and see if you've set everything up correctly.

Which branch are you trying to deploy?

Did you include a `route.js` file inside the `/api/auth/[...nextauth]` folder?

@@hamedbahram yes

Thanks next-auth/next this getting issue after remove /next it started working

It should work; not sure why you're getting the error. Vercel does support the App router, but Typescript support of the new features is not 100% there.

@@hamedbahram thx for the reply. It works locally with typescript and it’s able to run nicely with all the auth features. Only got this error when deploy to vercel not sure why.

@@hamedbahram the app router for other api files all working file. Only the auth not building right.

@@LbovboE run a build locally and see if you get the same error and if you can trace what's causing it.

You can look into solutions like DataDome or Botd, to protect against bots, here are links to sample code: vercel.com/templates/next.js/bot-protection-botd vercel.com/templates/next.js/bot-protection-datadome

@@hamedbahram thank you does it on google seo

You're welcome!

Glad you found the video helpful. Regarding the error, you have to set the `NEXTAUTH_SECRET` environment variable. This is a random long string that'll be used to hash your tokens.

Welcome to the channel Waleed! Say hi to your brother :)

Awesome videos! Could you talk about state management for nextjs? I don't know if i should use redux toolkit, zustand, jotai o something else

@@juanferrer5885 Thanks Juan, that sounds like a good topic for a future video.

Thanks for your feedback. I'll do it in my future videos.

Thank you! I appreciate that.

🙌🏼

I'll definitely have that in mind for future next-auth videos.

Bale ghorban. Mokhlesim.

@@hamedbahram عزیز دلی باعث افتخارمون هستی

Middleware runs on the edge runtime by default and Prisma can't run on the edge.

@@hamedbahram hmm if i dont use prisma adapter but just google provider, can i start using middleware to protect routes then? Not sure how prisma affects how nextauth works

@@MrAtomUniverse Yes that should solve the problem. If you're using an adapter like prisma to connect NextAuth to your database it uses it to read user data, but as I mentioned prisma can't run on the edge for the time being.

You're welcome.