-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proper way to whitelist/publicize a health api route with authMiddleware? #1441
Comments
Hello @dcyoung |
Perfect. Thanks! |
@dimkl Using the ignoredRoutes works and is definitely more explicit, but I'm seeing the following log whenever I hit the health endpoint (even in a prod build):
We run health checks in our orchestration layer at frequent intervals (~15s), and this may pollute our logs. Anyway to suppress this log? Also, the config recommended by the message is identical to the one exported in my middleware file. |
🤔 We cannot determine if the request is for ignored route or not before receiving a request, so I couldn't find a way to skip this log. We are taking a deeper look at some conditions we have, to allow adding the export default authMiddleware({
apiRoutes: [/\/api/],
publicRoutes: [/\/api\/healthz/]
}); Until we make the above or something similar available, I would suggest you to ignore the Let me know if this works for you. |
Hi there @dimkl
Can you provide a snippet/example of that matcher regex. Our current setup looks like: export default authMiddleware({
publishableKey: env.XXX,
....,
ignoredRoutes: ['/api/healthz(.*)'],
});
export const config = {
matcher: ["/((?!.*\\..*|_next).*)", "/", "/(api|trpc)(.*)"],
}; |
@dimkl ^ friendly bump |
I'd like to note that we're working on an easier way to accomplish this with middleware as a first class solution in our upcoming major release. We don't have an exact release date yet but sometime within the next couple months. Hopefully that will make this way easier for you all 😁 |
Our current middleware is now opt-in instead of opt-out, and so this particular pattern should be much easier to accomplish: https://clerk.com/docs/references/nextjs/clerk-middleware. |
With the old middleware, i performed a "public" check on my
/api/healthz
route, and allowed public traffic before ever calling useAuth. With the new authMiddleware, adding the/api/healthz
route to the publicRoute list does not accomplish this behavior.Instead I'm using a negative look ahead like so:
Is this the recommended method?
The text was updated successfully, but these errors were encountered: