diff --git a/docs/docs/configuration/nextjs.md b/docs/docs/configuration/nextjs.md index 25978adf3d..858b05c986 100644 --- a/docs/docs/configuration/nextjs.md +++ b/docs/docs/configuration/nextjs.md @@ -80,10 +80,11 @@ You can get the `withAuth` middleware function from `next-auth/middleware` eithe ### Prerequisites -You must set the [`NEXTAUTH_SECRET`](/configuration/options#nextauth_secret) environment variable when using this middleware. If you are using the [`secret` option](/configuration/options#secret) this value must match. +You must set the same secret in the middleware that you use in NextAuth. The easiest way is to set the [`NEXTAUTH_SECRET`](/configuration/options#nextauth_secret) environment variable. It will be picked up by both the [NextAuth config](/configuration/options#options), as well as the middleware config. -**We strongly recommend** replacing the `secret` value completely with this `NEXTAUTH_SECRET` environment variable. This environment variable will be picked up by both the [NextAuth config](/configuration/options#options), as well as the middleware config. +Alternatively, you can provide the secret using the [`secret`](#secret) option in the middleware config. +**We strongly recommend** replacing the `secret` value completely with this `NEXTAUTH_SECRET` environment variable. ### Basic usage @@ -149,6 +150,22 @@ See the documentation for the [pages option](/configuration/pages) for more info --- +### `secret` + +- **Required**: _No_ + +#### Description + +The same `secret` used in the [NextAuth config](/configuration/options#options). + +#### Example (default value) + +```js +secret: process.env.NEXTAUTH_SECRET +``` + +--- + ### Advanced usage NextAuth.js Middleware is very flexible, there are multiple ways to use it. diff --git a/docs/docs/configuration/options.md b/docs/docs/configuration/options.md index f8534164ae..28f25205eb 100644 --- a/docs/docs/configuration/options.md +++ b/docs/docs/configuration/options.md @@ -27,9 +27,8 @@ Using [System Environment Variables](https://vercel.com/docs/concepts/projects/e ### NEXTAUTH_SECRET -Used to encrypt the NextAuth.js JWT, and to hash [email verification tokens](/adapters/models#verification-token). This is the default value for the [`secret`](/configuration/options#secret) option. The `secret` option might be removed in the future in favor of this. +Used to encrypt the NextAuth.js JWT, and to hash [email verification tokens](/adapters/models#verification-token). This is the default value for the `secret` option in [NextAuth](/configuration/options#secret) and [Middleware](/configuration/nextjs#secret). -If you are using [Middleware](/configuration/nextjs#prerequisites) this environment variable must be set. ### NEXTAUTH_URL_INTERNAL diff --git a/packages/next-auth/src/next/middleware.ts b/packages/next-auth/src/next/middleware.ts index 2445924cab..21dbae4bad 100644 --- a/packages/next-auth/src/next/middleware.ts +++ b/packages/next-auth/src/next/middleware.ts @@ -84,6 +84,12 @@ export interface NextAuthMiddlewareOptions { */ authorized?: AuthorizedCallback } + + /** + * The same `secret` used in the `NextAuth` configuration. + * Defaults to the `NEXTAUTH_SECRET` environment variable. + */ + secret?: string } async function handleMiddleware( @@ -102,7 +108,8 @@ async function handleMiddleware( return } - if (!process.env.NEXTAUTH_SECRET) { + const secret = options?.secret ?? process.env.NEXTAUTH_SECRET + if (!secret) { console.error( `[next-auth][error][NO_SECRET]`, `\nhttps://next-auth.js.org/errors#no_secret` @@ -118,6 +125,7 @@ async function handleMiddleware( req, decode: options?.jwt?.decode, cookieName: options?.cookies?.sessionToken?.name, + secret, }) const isAuthorized =