From a81dae5a9295b12c98499e23a4e9cf20e859e51a Mon Sep 17 00:00:00 2001 From: Darsh Gupta Date: Wed, 15 Apr 2026 10:59:59 +0530 Subject: [PATCH] fix: prevent middleware from killing sessions after ~5 minutes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The JWT callback in authConfig dynamically imports Prisma to check for soft-deleted users and password changes. Middleware runs in Edge Runtime where Prisma's binary engine is unavailable — the import fails silently, and after 5 consecutive failures the token is wiped, forcing a redirect to the login page. Override the JWT callback in middleware to skip the DB check entirely. Basic token fields (id, email, name) are still set. The full DB check continues to run in the Node.js auth instance on every server action. Fixes #54 Co-Authored-By: Claude Opus 4.6 (1M context) --- apps/web/middleware.ts | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts index c0fcfcc..c8c0024 100644 --- a/apps/web/middleware.ts +++ b/apps/web/middleware.ts @@ -7,12 +7,33 @@ const secret = (process.env.AUTH_SECRET || process.env.NEXTAUTH_SECRET || '') // Use a lightweight NextAuth instance for middleware (Edge Runtime compatible). // This does NOT import the Prisma adapter, which requires Node.js runtime. -// The full auth config (with adapter) is used in server components and API routes. +// The JWT callback is overridden to skip the Prisma DB check (soft-delete/password-change) +// because Prisma binary engine does not run in Edge Runtime. The full DB check still runs +// in the main auth (server components, server actions) which uses Node.js runtime. const { auth } = NextAuth({ secret, session: { strategy: 'jwt' }, trustHost: process.env.NODE_ENV === 'development' || !!process.env.VERCEL || process.env.AUTH_TRUST_HOST === 'true', ...authConfig, + callbacks: { + ...authConfig.callbacks, + async jwt({ token, user, trigger, session }) { + if (user) { + token.id = user.id ?? ''; + token.email = user.email ?? ''; + token.name = user.name ?? ''; + token.avatarUrl = user.avatarUrl; + } + if (trigger === 'update' && session) { + token.name = session.name; + token.avatarUrl = session.avatarUrl; + } + // No DB check here — Edge Runtime cannot import Prisma binary engine. + // The full JWT callback (with soft-delete + password-change checks) runs + // in the Node.js auth instance on every server action / server component call. + return token; + }, + }, }); export default auth;