-
Notifications
You must be signed in to change notification settings - Fork 27.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookies set in middleware missing on server actions #67814
Comments
A bit tricky to see the issue in your example, because, straight up navigating to the landing page, sets a cookie too. That being said, I think something like this should work: import { NextRequest, NextResponse } from "next/server";
export async function middleware(request: NextRequest) {
const expires = new Date();
expires.setMinutes(expires.getMinutes() + 60);
const cookie = {
httpOnly: true,
name: "random_string",
value: Math.random().toString(),
expires,
};
request.cookies.set(cookie.name, cookie.value);
let response = NextResponse.next({
request: {
headers: new Headers(request.headers),
},
});
response.cookies.set(cookie);
return response;
} |
@icyJoseph It's kind of difficult to reproduce, you have to simulate the "access_token" (random_string) cookie expiring when calling server action, that's why I said to clear the cookies in the first step. I tested your example and it worked, but is it the right way to do this? Looks like I'm back to the issue #49442 |
I mean, I put it together from information present in the docs. That link documents how to forward modified headers. And that it is mentioned that you can set cookies on the incoming request:
On the same page as the link above. |
I believe this issue is impacting supabase sever side auth on NextJS supabase/ssr#36 |
We are experiencing this issue in next 14.2.5 and below. Will this be merged to next 14? We cannot migrate to next 15. |
This closed issue has been automatically locked because it had no new activity for 2 weeks. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
If middleware targets a server action handler and sets or updates a cookie, the newly updated cookie would not be reflected in the `cookies()` response of the action handler In #65008 we fixed a bug where cookies set in middleware were not reflected in the `cookies()` call in a server component from the same request. We did this by introducing a `x-middleware-set-cookie` header, that signaled to downstream handlers that middleware had run on the request & set a cookie. However this handling was only applied to the sealed/read-only cookies. Cookies accessed from a server action use `mutableCookies`, since those aren't frozen as a server action is allowed to modify cookies. This pulls the cookie merge handling into a function and applies the merge to `mutableCookies`. Fixes #67814 Closes NDX-95
If middleware targets a server action handler and sets or updates a cookie, the newly updated cookie would not be reflected in the `cookies()` response of the action handler In #65008 we fixed a bug where cookies set in middleware were not reflected in the `cookies()` call in a server component from the same request. We did this by introducing a `x-middleware-set-cookie` header, that signaled to downstream handlers that middleware had run on the request & set a cookie. However this handling was only applied to the sealed/read-only cookies. Cookies accessed from a server action use `mutableCookies`, since those aren't frozen as a server action is allowed to modify cookies. This pulls the cookie merge handling into a function and applies the merge to `mutableCookies`. Fixes #67814 Closes NDX-95
If middleware targets a server action handler and sets or updates a cookie, the newly updated cookie would not be reflected in the `cookies()` response of the action handler In #65008 we fixed a bug where cookies set in middleware were not reflected in the `cookies()` call in a server component from the same request. We did this by introducing a `x-middleware-set-cookie` header, that signaled to downstream handlers that middleware had run on the request & set a cookie. However this handling was only applied to the sealed/read-only cookies. Cookies accessed from a server action use `mutableCookies`, since those aren't frozen as a server action is allowed to modify cookies. This pulls the cookie merge handling into a function and applies the merge to `mutableCookies`. Fixes #67814 Closes NDX-95
If middleware targets a server action handler and sets or updates a cookie, the newly updated cookie would not be reflected in the `cookies()` response of the action handler In #65008 we fixed a bug where cookies set in middleware were not reflected in the `cookies()` call in a server component from the same request. We did this by introducing a `x-middleware-set-cookie` header, that signaled to downstream handlers that middleware had run on the request & set a cookie. However this handling was only applied to the sealed/read-only cookies. Cookies accessed from a server action use `mutableCookies`, since those aren't frozen as a server action is allowed to modify cookies. This pulls the cookie merge handling into a function and applies the merge to `mutableCookies`. Fixes #67814 Closes NDX-95
Link to the code that reproduces this issue
https://github.com/viniciusbitt/nextjs-middleware-server-action-missing-cookie
To Reproduce
Current vs. Expected behavior
I'm doing refresh token rotation in the middleware, and using server actions to validate if the user is logged in, I expected the cookie set on middleware to be visible to server actions
Provide environment information
Which area(s) are affected? (Select all that apply)
Middleware
Which stage(s) are affected? (Select all that apply)
next dev (local), next build (local), next start (local)
Additional context
No response
The text was updated successfully, but these errors were encountered: