DEV Community: Favour Okpara The latest articles on DEV Community by Favour Okpara (@favour_okpara_9dc22591b2f). https://dev.to/favour_okpara_9dc22591b2f https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3730979%2Ff5385896-9e1f-4d62-886b-7f0f2690b070.jpg DEV Community: Favour Okpara https://dev.to/favour_okpara_9dc22591b2f en I penned my thoughts on react rendering behaviour down. Favour Okpara Mon, 09 Feb 2026 10:21:57 +0000 https://dev.to/favour_okpara_9dc22591b2f/i-penned-my-thoughts-on-react-rendering-behaviour-down-397l https://dev.to/favour_okpara_9dc22591b2f/i-penned-my-thoughts-on-react-rendering-behaviour-down-397l <div class="ltag__link"> <a href="/favour_okpara_9dc22591b2f" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3730979%2Ff5385896-9e1f-4d62-886b-7f0f2690b070.jpg" alt="favour_okpara_9dc22591b2f"> </div> </a> <a href="https://dev.to/favour_okpara_9dc22591b2f/understanding-reacts-rendering-behavior-what-actually-triggers-a-re-render-2aih" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Understanding React's Rendering Behavior: What Actually Triggers a Re-render?</h2> <h3>Favour Okpara ・ Feb 9</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#react</span> <span class="ltag__link__tag">#webdev</span> <span class="ltag__link__tag">#programming</span> <span class="ltag__link__tag">#javascript</span> </div> </div> </a> </div> react webdev programming javascript Understanding React's Rendering Behavior: What Actually Triggers a Re-render? Favour Okpara Mon, 09 Feb 2026 09:22:37 +0000 https://dev.to/favour_okpara_9dc22591b2f/understanding-reacts-rendering-behavior-what-actually-triggers-a-re-render-2aih https://dev.to/favour_okpara_9dc22591b2f/understanding-reacts-rendering-behavior-what-actually-triggers-a-re-render-2aih <h2> TL;DR </h2> <p>React components re-render for exactly four reasons: state changes (useState/useReducer), parent component re-renders, context value changes, and custom hook state changes. Props changing doesn't directly cause re-renders—the parent re-rendering does. Mutating regular variables or refs won't trigger re-renders. React is fast by default, so only optimize when you have a proven performance issue.</p> <p>If you've ever wondered why your React component re-rendered when you didn't expect it to, or worse, why it <em>didn't</em> re-render when you needed it to, you're not alone. React's rendering behavior can feel magical at first, but understanding what's happening under the hood will make you a more confident developer.</p> <p>Let's break down exactly what triggers re-renders in React, clear up common misconceptions, and build a mental model you can rely on.</p> <h2> What is a "Render" Anyway? </h2> <p>Before we dive into triggers, let's clarify what we mean by "render." In React, rendering is the process of calling your component function (or the <code>render()</code> method in class components) to determine what should be displayed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">MyComponent</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Component is rendering!</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Hello World<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>Every time you see that console.log fire, React is rendering your component. But rendering doesn't automatically mean the DOM updates. React first calculates what <em>should</em> change, then only updates the actual DOM if necessary. This is a crucial distinction.</p> <h2> The Four Fundamental Re-render Triggers </h2> <p>There are exactly four things that cause a React component to re-render:</p> <h3> 1. State Changes </h3> <p>When you call a state setter function (from <code>useState</code> or <code>useReducer</code>), React schedules a re-render of that component.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">Counter</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">count</span><span class="p">,</span> <span class="nx">setCount</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">increment</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setCount</span><span class="p">(</span><span class="nx">count</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="c1">// Triggers a re-render</span> <span class="p">};</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">increment</span><span class="si">}</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">count</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Note:</strong> React uses <code>Object.is()</code> comparison to check if the state actually changed. If you set state to the same value it already has, React will bail out of the re-render.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="p">[</span><span class="nx">count</span><span class="p">,</span> <span class="nx">setCount</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span> <span class="nf">setCount</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span> <span class="c1">// No re-render! Value didn't change</span> </code></pre> </div> <h3> 2. Parent Component Re-renders </h3> <p>This is the source of many "Why did this re-render?" moments. <strong>When a parent component re-renders, all of its children re-render by default</strong>, regardless of whether their props changed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">Parent</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">count</span><span class="p">,</span> <span class="nx">setCount</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">setCount</span><span class="p">(</span><span class="nx">count</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span><span class="si">}</span><span class="p">&gt;</span>Click me<span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Child</span> <span class="p">/&gt;</span> <span class="si">{</span><span class="cm">/* Re-renders every time Parent does */</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">Child</span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Child rendered!</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>I'm a child<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>Even though <code>Child</code> receives no props and has no state, it re-renders whenever <code>Parent</code> does. This is React's default behavior. React assumes that a parent re-rendering might affect its children.</p> <h3> 3. Context Changes </h3> <p>When a context value changes, every component that consumes that context (via <code>useContext</code> or <code>Context.Consumer</code>) will re-render.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">ThemeContext</span> <span class="o">=</span> <span class="nf">createContext</span><span class="p">();</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">theme</span><span class="p">,</span> <span class="nx">setTheme</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">'</span><span class="s1">light</span><span class="dl">'</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nc">ThemeContext</span><span class="p">.</span><span class="nc">Provider</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">theme</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Toolbar</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">ThemeContext</span><span class="p">.</span><span class="nc">Provider</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">Toolbar</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// This component re-renders when theme changes</span> <span class="kd">const</span> <span class="nx">theme</span> <span class="o">=</span> <span class="nf">useContext</span><span class="p">(</span><span class="nx">ThemeContext</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="nx">theme</span><span class="si">}</span><span class="p">&gt;</span>Toolbar<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Note:</strong> Even if a component sits between the Provider and the consumer, the consumer will still re-render when the context changes, even if the middle component doesn't.</p> <h3> 4. Hook Changes </h3> <p>When a custom hook's internal state or subscribed values change, components using that hook will re-render.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">useWindowWidth</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">width</span><span class="p">,</span> <span class="nx">setWidth</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">innerWidth</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">handleResize</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">setWidth</span><span class="p">(</span><span class="nb">window</span><span class="p">.</span><span class="nx">innerWidth</span><span class="p">);</span> <span class="nb">window</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">resize</span><span class="dl">'</span><span class="p">,</span> <span class="nx">handleResize</span><span class="p">);</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">window</span><span class="p">.</span><span class="nf">removeEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">resize</span><span class="dl">'</span><span class="p">,</span> <span class="nx">handleResize</span><span class="p">);</span> <span class="p">},</span> <span class="p">[]);</span> <span class="k">return</span> <span class="nx">width</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">MyComponent</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">width</span> <span class="o">=</span> <span class="nf">useWindowWidth</span><span class="p">();</span> <span class="c1">// Re-renders when window is resized</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Width: <span class="si">{</span><span class="nx">width</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <h2> What DOESN'T Trigger Re-renders </h2> <p>Just as important as knowing what triggers re-renders is knowing what doesn't:</p> <h3> Props Changes Alone Don't Trigger Re-renders </h3> <p>This surprises people, but it's true. Props changing doesn't directly cause a re-render, the parent re-rendering does. Props changing is just a <em>consequence</em> of the parent re-rendering and passing new values down.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">Parent</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">count</span><span class="p">,</span> <span class="nx">setCount</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nc">Child</span> <span class="na">value</span><span class="p">=</span><span class="si">{</span><span class="nx">count</span><span class="si">}</span> <span class="p">/&gt;;</span> <span class="c1">// Parent re-renders, Child re-renders</span> <span class="p">}</span> </code></pre> </div> <p>The <code>Child</code> doesn't re-render "because props changed." It re-renders because <code>Parent</code> re-rendered, which happens to result in new props being passed.</p> <h3> Regular Variable Changes </h3> <p>Mutating regular variables or object properties doesn't trigger re-renders. Only state changes do.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">Broken</span><span class="p">()</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// NOT state</span> <span class="kd">const</span> <span class="nx">increment</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">count</span><span class="o">++</span><span class="p">;</span> <span class="c1">// This won't trigger a re-render!</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">count</span><span class="p">);</span> <span class="c1">// Will log incremented value</span> <span class="p">};</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">increment</span><span class="si">}</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">count</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">button</span><span class="p">&gt;;</span> <span class="c1">// UI won't update</span> <span class="p">}</span> </code></pre> </div> <h3> Ref Changes </h3> <p>Updating a ref (via <code>useRef</code>) doesn't trigger re-renders. That's actually the point of refs, they're for values that need to persist across renders without causing re-renders.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">Component</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">renderCount</span> <span class="o">=</span> <span class="nf">useRef</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="nx">renderCount</span><span class="p">.</span><span class="nx">current</span><span class="o">++</span><span class="p">;</span> <span class="c1">// No re-render triggered</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Rendered <span class="si">{</span><span class="nx">renderCount</span><span class="p">.</span><span class="nx">current</span><span class="si">}</span> times<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <h2> Common Misconceptions </h2> <h3> "React re-renders when props change" </h3> <p>As we discussed, this is backwards. React re-renders the component, which results in potentially different props being passed to children.</p> <h3> "Re-rendering is bad and should be avoided" </h3> <p>Re-rendering is how React works! It's not inherently bad. React is very fast at rendering, and most components render in microseconds. Only optimize re-renders if you have a proven performance problem.</p> <h3> "Setting state to the same value always causes a re-render" </h3> <p>React will bail out of re-renders if you set state to the same value (using <code>Object.is()</code> comparison). However, this bailout happens <em>after</em> React has started the re-render process, so the component function will be called once more, but children won't re-render.</p> <h2> Building Your Mental Model </h2> <p>Here's a simple mental model to internalize:</p> <ol> <li> <strong>State changes are the root cause</strong> of all re-renders (including context and hook state)</li> <li> <strong>Re-renders cascade down</strong> the component tree by default</li> <li> <strong>React compares before committing</strong> to the DOM (rendering ≠ DOM updates)</li> <li> <strong>Optimization tools exist</strong> when needed (React.memo, useMemo, useCallback)</li> </ol> <h2> When Should You Care About Re-renders? </h2> <p>Most of the time, you shouldn't. React is fast, and premature optimization wastes time. You should investigate re-renders when:</p> <ul> <li>You notice visible lag or stuttering in your UI</li> <li>You have components doing expensive calculations on every render</li> <li>You're rendering large lists (hundreds or thousands of items)</li> <li>Your profiler shows components taking significant time to render</li> </ul> <h2> Practical Example: Debugging Unexpected Re-renders </h2> <p>Let's say you have a component re-rendering too much. Here's how to debug it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">function</span> <span class="nf">MyComponent</span><span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Add this to see when and why component renders</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">MyComponent rendered</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">value</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;;</span> <span class="p">}</span> </code></pre> </div> <p>Then ask yourself:</p> <ol> <li>Is the parent re-rendering? (Check parent's render logs)</li> <li>Is state changing in this component? (Log state values)</li> <li>Is context changing? (Log context values)</li> <li>Are we getting new prop objects on every render? (Log <code>data</code> identity)</li> </ol> <h2> Conclusion </h2> <p>React's rendering behavior follows consistent, predictable rules. State changes trigger re-renders, which cascade to children by default. Understanding this helps you reason about your app's behavior and know when (and when not) to optimize.</p> <p>The key insight: React re-renders are not triggered by props changes or variable assignments, they're triggered by state changes and then propagate down the component tree. Everything else follows from this fundamental truth.</p> <p>Now when you see an unexpected re-render, you'll know exactly where to look: trace back to find which state changed, and you'll find your answer.</p> <p><em>Have questions about React rendering? Found this helpful? Want me to dive deeper into when to use useMemo, useCallback, and React.memo for optimization? Let me know in the comments below!</em></p> react webdev programming javascript Implementing Secure Authentication in Next.js with External APIs: A BFF Pattern Approach Favour Okpara Tue, 03 Feb 2026 07:16:34 +0000 https://dev.to/favour_okpara_9dc22591b2f/implementing-secure-authentication-in-nextjs-with-external-apis-a-bff-pattern-approach-hmg https://dev.to/favour_okpara_9dc22591b2f/implementing-secure-authentication-in-nextjs-with-external-apis-a-bff-pattern-approach-hmg <h2> TL;DR </h2> <p><em>Next.js middleware can't read httpOnly cookies from external APIs because they're cross origin. The solution: create Next.js API routes that proxy requests to your external backend, setting same origin cookies that middleware can access. This BFF (Backend for Frontend) pattern is secure but adds maintenance overhead. Use it when working with external APIs you don't control and security is critical.</em></p> <p>A few weeks back, I was working on a project to build a website for a tutor in Next.js that required me to integrate login and register APIs for user authentication. Coming from a React background, it seemed easy and straightforward. All I had to do was ensure that my backend was sending the authorization token as cookies, then include it in my API calls by adding credentials—and that was that.</p> <h2> The React Authentication Pattern </h2> <p><em>Example of login in React below</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">login</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://external-api.com/login</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">error</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Login failed</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>This works well in a traditional React SPA, but how do I prevent unauthenticated or unauthorized users from accessing protected routes in Next.js?</p> <h2> The Problem with Client-Side Authentication </h2> <p>The normal React way of protecting routes is to wrap protected routes in an AuthProvider connected to a global state management solution (Zustand, Redux, etc.) and conditionally render based on whether the user is authenticated or not. This is UI based authentication, and while it works, several critical issues concerned me:</p> <ol> <li> <strong>No real security</strong> - A user can manipulate the client side state (localStorage, Redux store, etc.) to bypass the protection</li> <li> <strong>API calls still need protection</strong> - Even if you hide a route, someone can still make API requests directly</li> <li> <strong>Token exposure</strong> - If you store tokens in localStorage, they're accessible to JavaScript and vulnerable to XSS attacks</li> </ol> <h2> The Next.js Middleware Challenge </h2> <p>I was building in Next.js and I knew that Middleware (running at the edge) could be paired with my client-side API calls to provide better security. So I got to work, asking my middleware to check if the user is authorized by verifying cookies. But it was then I realized the core problem:</p> <p><strong>I can't access httpOnly cookies set by my external backend domain in my Next.js middleware because they're cross origin.</strong></p> <p>The middleware runs on my Next.js domain (e.g., <code>myapp.com</code>), but the cookies are set by my external API (e.g., <code>external-api.com</code>). Due to browser security policies, these cookies simply aren't available to my middleware. So the user would always appear unauthenticated because middleware doesn't have access to the particular httpOnly cookie I was looking for.</p> <h2> Why Common Workarounds Don't Work </h2> <p>I considered asking my backend developer to include the accessToken in the response body for a successful login, then set the cookie using <code>document.cookie</code>.</p> <p><em>Example code below</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">login</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://external-api.com/login</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">error</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Login failed</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Store token in regular cookie (NOT httpOnly)</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="s2">`accessToken=</span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">; path=/; max-age=</span><span class="p">${</span><span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">}</span><span class="s2">; SameSite=Strict; Secure`</span><span class="p">;</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p><strong>This approach defeats the entire purpose of what I was trying to achieve because:</strong></p> <ol> <li> <strong>Token accessible to JavaScript (XSS risk)</strong> - Any malicious script can read <code>document.cookie</code> and steal the token</li> <li> <strong>Cross Origin complications</strong> - When making authenticated requests to my external backend, I'd need to manually attach this token, potentially causing CORS issues</li> </ol> <p>So I couldn't do without my middleware because I didn't want just UI based authentication, but when I involved my middleware, I was unnecessarily putting my entire project at risk by exposing the accessToken to JavaScript.</p> <h2> The Solution: Backend for Frontend (BFF) Pattern with Next.js API Routes </h2> <p>After research, I decided to implement what's essentially a <strong>Backend for Frontend (BFF) pattern</strong> using Next.js server routes. This approach bypasses the cross origin cookie problem entirely by creating a proxy layer between my client and the external API.</p> <p><strong>The flow is straightforward:</strong></p> <ol> <li>Client queries my Next.js API route (same domain)</li> <li>Next.js API route queries the external backend</li> <li>Next.js receives the token from the external API</li> <li>Next.js sets httpOnly cookies on its own domain</li> <li>Middleware can now read these same origin cookies</li> <li>All subsequent requests go through the Next.js proxy</li> </ol> <h3> Step 1: Create the Login API Route </h3> <p>Under <code>src/app</code>, I created an <code>api/login/route.ts</code> file to act as a proxy to my external backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/login/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Parse request body</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">body</span><span class="p">;</span> <span class="c1">// Validate input</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Email and password are required</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Call external backend</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_API_URL</span><span class="p">}</span><span class="s2">/auth/login`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}),</span> <span class="p">});</span> <span class="c1">// Handle backend errors</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">errorData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">().</span><span class="k">catch</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">({}));</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="nx">errorData</span><span class="p">.</span><span class="nx">message</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Login failed</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">status</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Get data from backend</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Expected: { accessToken: "...", user: { id, email, name, ... } }</span> <span class="c1">// Create response with user data (NO TOKEN in response body)</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">user</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Login successful</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Set httpOnly cookie with accessToken</span> <span class="nx">res</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">accessToken</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">accessToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">,</span> <span class="c1">// 24 hours</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Login error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">An unexpected error occurred</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">500</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Client-Side Login Component </h3> <p>Let the client query the login server route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/login/page.tsx</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span><span class="p">,</span> <span class="nx">FormEvent</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/navigation</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">LoginPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">email</span><span class="p">,</span> <span class="nx">setEmail</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">password</span><span class="p">,</span> <span class="nx">setPassword</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">error</span><span class="p">,</span> <span class="nx">setError</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">handleLogin</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">e</span><span class="p">:</span> <span class="nx">FormEvent</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">include</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Important: allows cookies to be set</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">error</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Login failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Login successful:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="c1">// Redirect to dashboard</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">'</span><span class="s1">/dashboard</span><span class="dl">'</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">refresh</span><span class="p">();</span> <span class="c1">// Refresh to update server components</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">An error occurred</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex min-h-screen items-center justify-center</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">form</span> <span class="nx">onSubmit</span><span class="o">=</span><span class="p">{</span><span class="nx">handleLogin</span><span class="p">}</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">w-full max-w-md space-y-4 p-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-2xl font-bold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Login</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="p">{</span><span class="nx">error</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">bg-red-100 border border-red-400 text-red-700 px-4 py-3 rounded</span><span class="dl">"</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">error</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">)}</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">label</span> <span class="nx">htmlFor</span><span class="o">=</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">block text-sm font-medium mb-2</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Email</span> <span class="o">&lt;</span><span class="sr">/label</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">id</span><span class="o">=</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">email</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setEmail</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">required</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">w-full px-3 py-2 border rounded-lg</span><span class="dl">"</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">you@example.com</span><span class="dl">"</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">label</span> <span class="nx">htmlFor</span><span class="o">=</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">block text-sm font-medium mb-2</span><span class="dl">"</span><span class="o">&gt;</span> <span class="nx">Password</span> <span class="o">&lt;</span><span class="sr">/label</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">id</span><span class="o">=</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">password</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setPassword</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">required</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">w-full px-3 py-2 border rounded-lg</span><span class="dl">"</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">••••••••</span><span class="dl">"</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">button</span> <span class="kd">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">submit</span><span class="dl">"</span> <span class="nx">disabled</span><span class="o">=</span><span class="p">{</span><span class="nx">loading</span><span class="p">}</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">w-full bg-blue-600 text-white py-2 rounded-lg hover:bg-blue-700 disabled:opacity-50</span><span class="dl">"</span> <span class="o">&gt;</span> <span class="p">{</span><span class="nx">loading</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Logging in...</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Login</span><span class="dl">'</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/form</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Middleware for Route Protection </h3> <p>Finally, create middleware to handle initial route protection. Because we've set cookies in our login server route (on the same domain), middleware has access to them and JavaScript never sees the actual token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">//middleware.ts (same level as app folder)</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check for authentication token</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">accessToken</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// If no auth cookie, redirect to login</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">accessToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// Token exists, allow request to proceed</span> <span class="c1">// NOTE: This doesn't validate if token is valid/expired</span> <span class="c1">// That validation happens in your page components/layouts</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Specify which routes to protect</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">/dashboard/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/profile/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/settings/:path*</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Add more protected routes here</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <h3> Step 4: Server-Side Token Validation </h3> <p>Middleware can only check if the cookie exists, not if it's valid or expired. You must validate the token on the server side in your protected pages or layouts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/dashboard/layout.tsx</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cookies</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/navigation</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">validateToken</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Call your backend to verify the token</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_API_URL</span><span class="p">}</span><span class="s2">/auth/verify`</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">DashboardLayout</span><span class="p">({</span> <span class="nx">children</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cookieStore</span> <span class="o">=</span> <span class="nf">cookies</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">cookieStore</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">accessToken</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">accessToken</span><span class="p">)</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// CRITICAL: Validate the token with your backend</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validateToken</span><span class="p">(</span><span class="nx">accessToken</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Token is invalid or expired</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">{</span><span class="cm">/* Your dashboard layout */</span><span class="p">}</span> <span class="p">{</span><span class="nx">children</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> What This Approach Achieves </h2> <p>With the steps above, I've created a secure authentication flow that addresses all my original concerns:</p> <h3> 1. Maximum Security </h3> <ul> <li> <strong>HttpOnly cookies</strong> - Token can't be accessed by client side JavaScript (XSS protection)</li> <li> <strong>Token never exposed</strong> - Client never sees the actual token in response body</li> <li> <strong>Server-side validation</strong> - Backend validates every request through the proxy</li> <li> <strong>No localStorage/sessionStorage</strong> - Eliminates common XSS attack vectors</li> <li> <strong>Same-origin cookies</strong> - Middleware can enforce route protection before page loads</li> </ul> <h3> 2. Better User Experience </h3> <ul> <li> <strong>Middleware protection</strong> - Unauthorized users are redirected BEFORE the page loads (no flash of protected content)</li> <li> <strong>Seamless authentication</strong> - No loading states for auth checks on protected routes</li> <li> <strong>Clean separation</strong> - Authentication logic is centralized in API routes</li> </ul> <h3> 3. Leverages Next.js Native Features </h3> <ul> <li> <strong>Built-in middleware</strong> - No third party auth libraries needed for basic protection</li> <li> <strong>Server components</strong> - Can read cookies on the server for SSR</li> <li> <strong>Route protection</strong> - Declarative protection via middleware matcher</li> <li> <strong>API routes</strong> - Natural place to handle authentication logic</li> </ul> <h3> 4. Bypasses Cross Origin Issues </h3> <p>This approach doesn't solve CORS, it bypasses it entirely. By creating a same-origin proxy, you eliminate the cross-origin cookie problem. Your Next.js app becomes the single domain your frontend interacts with, while the external API remains completely separate.</p> <h2> The Trade-offs You Need to Consider </h2> <p>After discussing with colleagues and implementing this at scale, I have to acknowledge this approach comes with significant trade-offs:</p> <h3> 1. Increased Complexity </h3> <ul> <li> <strong>More code to maintain</strong> - You need API routes for login, logout, refresh, and potentially every protected endpoint</li> <li> <strong>Duplicate error handling</strong> - Must handle errors in both API routes and external backend</li> <li> <strong>Cookie synchronization</strong> - Must keep Next.js cookies in sync with backend authentication state</li> <li> <strong>Proxy maintenance</strong> - Every new backend endpoint needs a corresponding API route</li> </ul> <h3> 2. Critical Middleware Limitations </h3> <p><strong>This is the most important caveat:</strong> Middleware can only check if a cookie exists, not if it's valid or expired. This means:</p> <ul> <li>Expired tokens will pass middleware checks</li> <li>Invalid tokens will pass middleware checks</li> <li>Revoked sessions will pass middleware checks</li> </ul> <p>The actual validation still happens later either in your API routes when you proxy requests to the backend, or in server components when you validate the token. This creates a <strong>false sense of security</strong> if you're not aware of it.</p> <p>Middleware provides a <strong>first line of defense</strong> (preventing completely unauthenticated access and avoiding UI flashes), but <strong>server-side validation in your components/layouts is mandatory</strong> for true security.</p> <h3> 3. Performance Considerations </h3> <ul> <li> <strong>Extra network hop</strong> - Every request goes through your Next.js proxy before reaching the backend</li> <li> <strong>Increased latency</strong> - Added overhead compared to direct backend calls</li> <li> <strong>Server load</strong> - Your Next.js server now handles authentication proxy traffic</li> </ul> <h3> 4. Scalability Concerns </h3> <ul> <li> <strong>Session management complexity</strong> - Token refresh, logout, and session invalidation all need proxy routes</li> <li> <strong>State synchronization</strong> - Keeping authentication state consistent across your Next.js layer and backend</li> <li> <strong>Deployment considerations</strong> - Your Next.js app now needs to be highly available since it's a critical proxy layer</li> </ul> <h2> When to Use This Pattern </h2> <p>This BFF (Backend-for-Frontend) pattern is appropriate when:</p> <ul> <li>You're integrating with an <strong>external API you don't control</strong> that uses httpOnly cookies</li> <li>You need <strong>server-side route protection</strong> with middleware</li> <li>Security is a high priority and you want to <strong>eliminate XSS token exposure</strong> </li> <li>You're willing to accept the <strong>maintenance overhead</strong> of a proxy layer</li> <li>Your team has the resources to <strong>maintain parallel API routes</strong> </li> </ul> <h2> When NOT to Use This Pattern </h2> <p>Consider alternatives if:</p> <ul> <li>You control both frontend and backend (use a monorepo or unified auth)</li> <li>Your project is small/simple</li> <li>You can use NextAuth.js or similar libraries (they handle this complexity for you)</li> <li>Performance is critical and you can't afford the extra network hop</li> <li>Your backend supports alternative auth methods (like token-based auth with short-lived tokens)</li> </ul> <h2> Conclusion </h2> <p>Implementing secure authentication in Next.js when working with external APIs requires understanding the limitations of cross origin cookies and the middleware execution model. The BFF pattern I've described solves real security problems but introduces architectural complexity.</p> <p>The key insight is this: <strong>middleware provides route-level access control, but you still need server side token validation in your components.</strong> Think of middleware as a bouncer checking if you have a ticket, while your server components are the venue staff verifying the ticket is actually valid.</p> <p>This approach has worked well for my tutor website project, but I wouldn't recommend it for every Next.js application. Evaluate your specific requirements, team capacity, and security needs before implementing this pattern. Sometimes a simpler solution with different trade-offs is the right choice, but for applications requiring this level of security with external APIs, it's a worthwhile investment.</p> programming javascript tutorial nextjs