in my production enterprise app that the entire company uses, i get sketchy message: "nextjs-auth0 is attempting to set cookies from a server component,see https://github.com/auth0/nextjs-auth0#using-this-sdk-with-react-server-components"

[Jared-Dahlke]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I am surprised this still persists. Isn't this the official Nextjs Auth0 package? Lee Rob said he tried to talk to you guys about this and is not sure why it is still appearing. Is there some kind of problem that needs fixed? It is embarrassing to have this warning in the console in our production enterprise applications at work. We are 2 major versions in.

Reproduction

run the official Auth0 Nextjs library with any Nextjs 13 or Nextjs 14 app.

Additional context

No response

nextjs-auth0 version

"@auth0/nextjs-auth0": "^3.2.0",

Next.js version

14

Node.js version

20

[adamjmcgrath]

Hi @Jared-Dahlke

It is embarrassing to have this warning in the console in our production enterprise applications at work

The warning only shows in development (when NODE_ENV=development) (see https://github.com/auth0/nextjs-auth0/blob/main/src/http/auth0-next-response-cookies.ts#L8) - so this would suggest your production enterprise applications are running in development mode.

Also, if you read the link the warning points to - you'll see that this is still a valid warning. You cannot write to the cookie in React Server Components, and you are using a feature of the SDK that expects to write to the cookie in a RSC. In these cases the SDK may not behave as expected - more info: https://github.com/auth0/nextjs-auth0#using-this-sdk-with-react-server-components

[Jared-Dahlke]

Why is their a valid warning using the official auth0 library . We are a paid user, is there someone I can talk to about this? Sent from [Proton Mail](https://proton.me/mail/home) for iOS

…

On Thu, Nov 9, 2023 at 6:38 AM, Adam Mcgrath ***@***.***(mailto:On Thu, Nov 9, 2023 at 6:38 AM, Adam Mcgrath <<a href=)> wrote: Hi ***@***.***(https://github.com/Jared-Dahlke) > It is embarrassing to have this warning in the console in our production enterprise applications at work The warning only shows in development (when NODE_ENV=development) (see https://github.com/auth0/nextjs-auth0/blob/main/src/http/auth0-next-response-cookies.ts#L8) - so this would suggest your production enterprise applications are running in development mode. Also, if you read the link the warning points to - you'll see that this is still a valid warning. You cannot write to the cookie in React Server Components, and you are using a feature of the SDK that expects to write to the cookie in a RSC. In these cases the SDK may not behave as expected - more info: https://github.com/auth0/nextjs-auth0#using-this-sdk-with-react-server-components — Reply to this email directly, [view it on GitHub](#1552 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AH3JIESVHZZF4GHYNE2AVJDYDTTF5AVCNFSM6AAAAAA7ES5WFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBTHE2TIMZXG4). You are receiving this because you were mentioned.Message ID: ***@***.***>

[adamjmcgrath]

Hi @Jared-Dahlke

Why is their a valid warning using the official auth0 library

The warning is there to inform you that you can't write cookies in a Server Component. This is not a restriction imposed by the SDK, it is imposed by Next.js. The SDK can't change this - we have to operate within the bounds of the framework.

What we can do is warn you, at development time, that the features of the SDK that rely on writing to the cookie wont work in Server Components and share a link where we offer some solutions to this (like writing to the session cookie in the middleware).

We chose to add this warning, at development time, so that you can take any necessary steps to workaround this restriction on Server Components before going to production. If we didn't add a warning developers might only discover this when they start getting feedback from their users about sessions expiring early or noticing increased traffic to their refresh token endpoint.

We are a paid user, is there someone I can talk to about this?

Information about what support channels Auth0 offer are here https://auth0.com/docs/troubleshoot/customer-support/support-channels

[Jared-Dahlke]

I looked at the solutions but they are very minimalistic and not complete. I have no idea how to fix the problem , it doesn’t give any example or detail . Can you please provide the exact code needed to make it work properly? Sent from [Proton Mail](https://proton.me/mail/home) for iOS

…

On Fri, Nov 10, 2023 at 2:36 AM, Adam Mcgrath ***@***.***(mailto:On Fri, Nov 10, 2023 at 2:36 AM, Adam Mcgrath <<a href=)> wrote: Hi ***@***.***(https://github.com/Jared-Dahlke) > Why is their a valid warning using the official auth0 library The warning is there to inform you that you can't write cookies in a Server Component. This is not a restriction imposed by the SDK, it is imposed by Next.js. The SDK can't change this - we have to operate within the bounds of the framework. What we can do is warn you, at development time, that the features of the SDK that rely on writing to the cookie wont work in Server Components and [share a link](https://github.com/auth0/nextjs-auth0#using-this-sdk-with-react-server-components) where we offer some solutions to this (like writing to the session cookie in the middleware). We chose to add this warning, at development time, so that you can take any necessary steps to workaround this restriction on Server Components before going to production. If we didn't add a warning developers might only discover this when they start getting feedback from their users about sessions expiring early or noticing increased traffic to their refresh token endpoint. > We are a paid user, is there someone I can talk to about this? Information about what support channels Auth0 offer are here https://auth0.com/docs/troubleshoot/customer-support/support-channels — Reply to this email directly, [view it on GitHub](#1552 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AH3JIEVPLNPEYPPHTP6PCIDYDX7ULAVCNFSM6AAAAAA7ES5WFWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBVGQ4DANRQGA). You are receiving this because you were mentioned.Message ID: ***@***.***>

[adamjmcgrath]

Hi @Jared-Dahlke

It's difficult to give the exact code without knowing how you're using the SDK. In most cases it will simply be a case of protecting your routes with withMiddlewareAuthRequired - then your session expiry will be updated every time the user touches the session and you can safely ignore the warning.

If your application has more complex requirements, like refreshing access tokens from react server components - then I'd need some more info to give you a good recommendation.

[ipv4sq]

experiencing the same issue here

export default withMiddlewareAuthRequired();

export const config = {
    matcher: [
        "/dashboard/"
    ]
};

If I understand it correctly, then I can safe ignore this warning in server rendering components right? because the /dashboard is protected and the session is touched every time a user tried to open it?

[adamjmcgrath]

If I understand it correctly, then I can safe ignore this warning in server rendering components right? because the /dashboard is protected and the session is touched every time a user tried to open it?

Correct 👍

[Jared-Dahlke]

ok awesome thank you @adamjmcgrath . I am using middleware so I am good then. I think what throws people off is this sentence here where it says the cookie "can" be written from middleware. Almost as if it's implying something extra has to be done, and it doesn't help that i get the warning as well. Thanks for the clarification!

[Jared-Dahlke]

@adamjmcgrath after writing that comment I realized I need to ask you a clarifying question.

i am using middleware.ts to protect my app, but i'm not using withMiddlewareAuthRequired, i'm doing it manually like this:

//middleware.ts

import { getSession } from "@auth0/nextjs-auth0/edge";
import { NextRequest, NextResponse } from "next/server";

export async function middleware(req: NextRequest) {
  const { nextUrl } = req;
  const session = await getSession();

  const isProtectedRoute =
    nextUrl.pathname.startsWith("/app") || nextUrl.pathname.startsWith("/api");

  const isNotProtectedRoute = nextUrl.pathname.startsWith("/api/auth");
  if (!session && isProtectedRoute && !isNotProtectedRoute) {
    const loginUrl = new URL("/api/auth/login", req.url);
    loginUrl.searchParams.set("returnTo", req.nextUrl.pathname);
    return NextResponse.redirect(loginUrl);
  }

  return NextResponse.next();
}

Am I all good still doing it this way?

[adamjmcgrath]

Yep - you're good, anything that accesses the session (like getSession) is fine, you just need to make sure you use the req/res when you get the session

export async function middleware(req: NextRequest) {
  const { nextUrl } = req;
  const res = NextResponse.next()
  const session = await getSession(req, res);

  const isProtectedRoute =
    nextUrl.pathname.startsWith("/app") || nextUrl.pathname.startsWith("/api");

  const isNotProtectedRoute = nextUrl.pathname.startsWith("/api/auth");
  if (!session && isProtectedRoute && !isNotProtectedRoute) {
    const loginUrl = new URL("/api/auth/login", req.url);
    loginUrl.searchParams.set("returnTo", req.nextUrl.pathname);
    return NextResponse.redirect(loginUrl);
  }

  return res;
}

[adamjmcgrath]

Also, will take another look at those docs. Going to put some time aside shortly to see if there's a better way to support using RSC's than what we're doing at the moment.

[Jared-Dahlke]

@adamjmcgrath , I noticed that I am getting a bunch of these errors in Sentry:

If you read the error it looks like Auth0 is causing the error. Could you share your thoughts/ what i could do to prevent this error , assuming everything is ok...

Error: Dynamic server usage: Page couldn't be rendered statically because it used `cookies`. See more info here: https://nextjs.org/docs/messages/dynamic-server-error
  File "app:///_next/server/chunks/9009.js", line 1, in staticGenerationBailout
  File "app:///_next/server/chunks/9206.js", line 9, in cookies
  File "app:///_next/server/chunks/9206.js", line 1, in Auth0NextRequestCookies.getCookies
  File "app:///_next/server/chunks/9206.js", line 1, in StatelessSession.deleteSession
  File "app:///_next/server/chunks/9206.js", line 1, in StatelessSession.save
...
(5 additional frame(s) were not displayed)