session.destroy not working in middleware

Question

session.destroy not working in middleware

dsbrianwebster opened this issue 2 years ago · comments

session.destroy() works as expected outside of middleware. But when invoking it from middleware via iron-session/edge, it appears to have no effect.

NextJS "13.2.4"
Iron Session: "^6.3.1"

// middleware.ts

import { NextResponse } from 'next/server';
import { getIronSession } from 'iron-session/edge';

import type { NextRequest } from 'next/server';

import { sessionOptions } from '~/server/session';

export const config = {
  matcher: ['/account/:path*'],
};

export const middleware = async (req: NextRequest) => {
  const res = NextResponse.next();

  const session = await getIronSession(req, res, sessionOptions);

  session.destroy(); // ! This is not destroying the session / removing the cookie
  return NextResponse.redirect(new URL('/', req.url));
};

Divyansh Singh · Answer 1 · Thu Mar 16 2023 01:00:59 GMT+0800 (China Standard Time)

Why are you destroying the session when there is no user in it? IG you meant to put that destroy outside that condition.

Brian Webster · Answer 2 · Thu Mar 16 2023 01:17:43 GMT+0800 (China Standard Time)

@brc-dd sorry, this was intended to be simplified bit of code, not an excerpt from an actual application. I didn't catch that mistake with the user logic. I removed that conditional entirely to avoid confusion, while still replicating the bug.

Divyansh Singh · Answer 3 · Thu Mar 16 2023 01:27:34 GMT+0800 (China Standard Time)

For save/destroy to work you need to return the res object you gave it (or copy the headers from it to final response)

const res = NextResponse.redirect(new URL('/', req.url));

const session = await getIronSession(req, res, sessionOptions);
session.destroy();

return res;

Brian Webster · Answer 4 · Thu Mar 16 2023 01:52:02 GMT+0800 (China Standard Time)

@brc-dd thank you. Yes I did try await session.destroy(), but per #571 I'm getting a type error there and even with await it was not working.

@brc-dd per your follow up comment... 🙌... that was it! The copying of the header approach suited our use case best because we want to conditionally redirect depending on what we get back from getIronSession.

export const middleware = async (req: NextRequest) => {
  const res = NextResponse.next();
  const session = await getIronSession(req, res, sessionOptions);

  //  other stuff...

  session.destroy();
  return NextResponse.redirect(new URL('/', req.url), { headers: res.headers });
};

Many many thank you's!