Bird
Raised Fist0
NextJSframework~10 mins

Authentication in middleware in NextJS - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Authentication in middleware
Request arrives
Middleware runs
Check for auth token
Validate
Allow
request
The middleware checks each request for an authentication token. If found, it validates it and allows the request. If not, it redirects to login.
Execution Sample
NextJS
import { NextResponse } from 'next/server';

export function middleware(request) {
  const token = request.cookies.get('authToken');
  if (!token) return NextResponse.redirect(new URL('/login', request.url));
  return NextResponse.next();
}
Middleware checks for 'authToken' cookie; if missing, redirects to login; otherwise, allows request to continue.
Execution Table
StepActionToken Present?ResultResponse
1Request arrives with cookiesYesToken foundContinue request
2Middleware reads cookiesYesToken validNextResponse.next()
3Request proceeds to pageYesAccess grantedPage rendered
4Request arrives without cookiesNoToken missingRedirect to /login
5Middleware redirectsNoNo token to validateNextResponse.redirect(new URL('/login', request.url))
6Request stopsNoAccess deniedLogin page shown
💡 Execution stops when token is missing and redirect happens, or continues if token is valid.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 4After Step 5
tokenundefined'abc123' (present)'abc123' (valid)undefined (missing)undefined (redirect)
Key Moments - 2 Insights
Why does the middleware redirect instead of allowing the request when the token is missing?
Because the middleware checks if the token exists (see execution_table row 4). If it doesn't, it immediately returns a redirect response to '/login' (row 5), stopping the request from continuing.
What happens if the token is present but invalid?
In this simple example, the middleware only checks presence, not validity. To handle invalid tokens, you would add validation logic after step 2 before allowing the request.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the response at Step 2 when the token is present?
ANextResponse.redirect('/login')
BNextResponse.next() to continue
CRequest stops with error
DNo response sent
💡 Hint
Check the 'Response' column at Step 2 in the execution_table.
At which step does the middleware decide to redirect the user to the login page?
AStep 5
BStep 3
CStep 1
DStep 6
💡 Hint
Look for 'NextResponse.redirect' in the 'Response' column.
If the token variable was always undefined, what would happen according to the variable_tracker?
ARequests always continue
BRequests sometimes continue
CRequests always redirect to login
DMiddleware crashes
💡 Hint
See variable_tracker values for 'token' and how missing token triggers redirect in execution_table.
Concept Snapshot
Authentication in Next.js middleware:
- Middleware runs on every request
- Check for auth token in cookies
- If token missing, redirect to login
- If token present, allow request
- Use NextResponse.next() to continue
- Use NextResponse.redirect() to redirect
Full Transcript
In Next.js, middleware runs on every incoming request. It checks if the request has an authentication token in its cookies. If the token is missing, the middleware redirects the user to the login page, stopping the request from continuing. If the token is present, the middleware allows the request to proceed to the requested page. This process helps protect pages by ensuring only authenticated users can access them. The key steps are reading the token, deciding based on its presence, and responding with either a redirect or continuation.

Practice

(1/5)
1. What is the main purpose of using middleware for authentication in Next.js?
easy
A. To fetch data from an external API before rendering
B. To check if a user is logged in before allowing access to certain pages
C. To style the pages dynamically based on user preferences
D. To optimize images for faster loading

Solution

  1. Step 1: Understand middleware role

    Middleware runs before page rendering to control access.

  2. Step 2: Identify authentication use

    Middleware checks if user is logged in to allow or block access.

  3. Final Answer:

    To check if a user is logged in before allowing access to certain pages -> Option B

  4. Quick Check:

    Middleware controls access = C [OK]
Hint: Middleware runs before pages to check login [OK]
Common Mistakes:
  • Thinking middleware styles pages
  • Confusing middleware with data fetching
  • Assuming middleware optimizes images
2. Which of the following is the correct way to import middleware in Next.js 14+ for authentication?
easy
A. import { NextResponse } from 'next/server';
B. import { middleware } from 'next/auth';
C. import middleware from 'next/middleware';
D. import { useMiddleware } from 'next/hooks';

Solution

  1. Step 1: Check Next.js middleware import

    Next.js middleware uses 'next/server' for NextResponse and request handling.

  2. Step 2: Identify correct import

    Only 'import { NextResponse } from "next/server";' is valid for middleware response.

  3. Final Answer:

    import { NextResponse } from 'next/server'; -> Option A

  4. Quick Check:

    Middleware uses NextResponse from next/server [OK]
Hint: Middleware uses NextResponse from 'next/server' [OK]
Common Mistakes:
  • Importing middleware from 'next/auth' which doesn't exist
  • Using default import from 'next/middleware' which is invalid
  • Trying to import hooks for middleware
3. Given this middleware code snippet, what happens when a user is not authenticated?
import { NextResponse } from 'next/server';
export function middleware(request) {
  const token = request.cookies.get('token');
  if (!token) {
    return NextResponse.redirect(new URL('/login', request.url));
  }
  return NextResponse.next();
}
medium
A. The middleware throws an error
B. The user stays on the current page without changes
C. The user is redirected to the /login page
D. The user is redirected to the homepage

Solution

  1. Step 1: Check token presence

    The code checks if 'token' cookie exists; if not, it redirects.

  2. Step 2: Understand redirect behavior

    Without token, middleware returns redirect to '/login' URL.

  3. Final Answer:

    The user is redirected to the /login page -> Option C

  4. Quick Check:

    No token means redirect to /login [OK]
Hint: No token cookie triggers redirect to /login [OK]
Common Mistakes:
  • Assuming user stays on page without token
  • Thinking middleware throws error on missing token
  • Confusing redirect to homepage instead of /login
4. Identify the error in this Next.js middleware code for authentication:
import { NextResponse } from 'next/server';
export function middleware(request) {
  const token = request.cookies.token;
  if (!token) {
    return NextResponse.redirect('/login');
  }
  return NextResponse.next();
}
medium
A. Accessing cookies should use request.cookies.get('token') instead of request.cookies.token
B. NextResponse.redirect requires a full URL, not just '/login'
C. Middleware function must be async
D. NextResponse.next() should be replaced with NextResponse.continue()

Solution

  1. Step 1: Check cookie access method

    In Next.js middleware, cookies are accessed with request.cookies.get('token'), not as a property.

  2. Step 2: Verify redirect argument

    NextResponse.redirect accepts a URL object or string, but string '/login' is allowed; full URL preferred but not mandatory.

  3. Final Answer:

    Accessing cookies should use request.cookies.get('token') instead of request.cookies.token -> Option A

  4. Quick Check:

    Use cookies.get('token') to read cookie [OK]
Hint: Use cookies.get('token') to read cookies in middleware [OK]
Common Mistakes:
  • Accessing cookies as properties instead of using get()
  • Thinking redirect needs full URL always
  • Assuming middleware must be async
  • Confusing NextResponse.next() with continue()
5. You want to protect only the /dashboard and /profile pages using middleware authentication. Which matcher configuration correctly applies middleware only to these paths?
export const config = {
  matcher: ???
};
hard
A. ['/dashboard', '/profile']
B. '/dashboard|/profile'
C. '/dashboard/*,/profile/*'
D. ['/dashboard*', '/profile*']

Solution

  1. Step 1: Understand matcher syntax

    Matcher accepts array of path patterns; '*' matches subpaths.

  2. Step 2: Choose correct pattern for pages

    Using ['/dashboard*', '/profile*'] matches both exact and nested routes under these paths.

  3. Final Answer:

    ['/dashboard*', '/profile*'] -> Option D

  4. Quick Check:

    Use array with wildcard for matcher [OK]
Hint: Use array with '*' wildcard for matcher paths [OK]
Common Mistakes:
  • Using string with pipe '|' instead of array
  • Omitting '*' wildcard to match subpaths
  • Using comma-separated string instead of array