-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Paths with a "." are ignored by authMiddleware()
#1656
Comments
Hey @IGassmann - just want to drop a little context here. The reason we ignore paths with a However, what you have brought up here is entirely valid and we're going to think about how we can provide a solution for you here. Any ideas you have are of course welcome as well! |
Hey @IGassmann we have recently updated our default matcher and ignored routes patterns to be more tolerant of |
Hey @BRKalow! Unfortunately, this doesn't solve our use case because we do have URLs in the following format:
Our event names follow the dot case notation and can appear in the last segment of a URL. The Clerk's matcher would exclude those. I wonder if this Next.js middleware config is enough to avoid running auth on requests to assets: export const config = {
matcher: [
/*
* Match all request paths except for the ones starting with:
* - _next/static (static files)
* - _next/image (image optimization files)
* - favicon.ico (favicon file)
*/
'/((?!_next/static|_next/image|favicon.ico).*)',
],
} Next.js's static files (JS, CSS, fonts...) files that are statically imported in code are all served from
|
Thanks for providing that additional information 👍 We currently have these tests: https://github.com/clerkinc/javascript/blob/164f3aac7928bc69301846130cc77986569d4e91/packages/nextjs/src/server/authMiddleware.test.ts#L134-L147 When I add your usage example to them, they fail: ✕ does not match /protected/hello.example
✕ does not match /protected/hello.world.example
✕ does not match /protected/hello.world.example.here So we have more fine-tuning here to do. Your suggestion for the matcher is the same as https://nextjs.org/docs/pages/building-your-application/routing/middleware#matcher - we should try if we can make it simpler like that 👍 |
I also ran into this issue, and after going down a rabbit hole through the source code I figured out that it was due to In the app I'm building, I have pages for domains in the format Is this being worked on? Any expectation on when this will be supported? |
Hi @codyjk! This can be worked around by updating your middleware matcher and passing a custom
We do a best-effort match here, but as you have seen it doesn't handle all edge cases. Feel free to tweak the middleware matcher and |
Thanks for the suggestion - unless I'm missing something, any path that matches Are there any plans to formally support paths in the form |
@codyjk Correct, but you can provide your own ignoredRoutes: [`/((?!api|trpc|domains))(_next.*|.+\\.[\\w]+$)`] And updating the middleware matcher: export const config = {
matcher: ['/((?!.+\\.[\\w]+$|_next).*)', '/', '/(api|trpc|domains)(.*)'],
}; This would prevent any routes starting with |
@BRKalow - makes sense, that did the trick. Thanks for the help! |
Hi, Just got caught by the same issue. I believe this could potentially lead to security issues where dev modifies I have to say Next.js doesn't make it easy to filter public assets in the middleware. They seem to ignore public assets in their doc:
|
Hi all, we've recently adjusted our recommend matcher to more explicitly ignore common static asset extensions, you can see it here: https://clerk.com/docs/quickstarts/nextjs#add-middleware-to-your-application |
pk_test_dGVuZGVyLXF1YWdnYS0zMC5jbGVyay5hY2NvdW50cy5kZXYk
Brief Summary of the Issue
Next.js routes that include a
.
in their path are ignored by theauthMiddleware()
, even though.
is a valid character to have within a URL path:This makes those pages error in Next.js if they use
auth()
in one of their Server Components.Potential Solution
The Clerk's default proposed middleware config matcher doesn't match URL paths that include a
.
in their path.Editing the matcher to allow
.
doesn't solve the issue, because theauthMiddleware()
also ignores those URL paths by default due to itsDEFAULT_IGNORED_ROUTES
.Both the
DEFAULT_CONFIG_MATCHER
and theDEFAULT_IGNORED_ROUTES
need to be updated in theauthMiddleware()
code and in the docs to allow for.
in URL paths.Minimal Reproduction or Replay
git clone https://github.com/IGassmann/dot-clerk-issue
npm install
the required dependencies.npm run dev
to launch the development server.http://localhost:3000
http://localhost:3000/dot.path/dashboard
which will throw:Package + Version
@clerk/clerk-js
@clerk/clerk-react
@clerk/nextjs
@clerk/remix
@clerk/types
@clerk/themes
@clerk/localizations
@clerk/clerk-expo
@clerk/backend
@clerk/clerk-sdk-node
@clerk/shared
@clerk/fastify
@clerk/chrome-extension
gatsby-plugin-clerk
build/tooling/chore
The text was updated successfully, but these errors were encountered: