#Handling Secure Cookies in Next.js with a NestJS Backend: Client vs. Server-Side Requests

1 messages · Page 1 of 1 (latest)

sacred stump
#

I am using Next.js for the frontend and NestJS for the backend. The backend uses cookies for authentication, specifically secure cookies. When a user authenticates, the backend sends a token in a cookie. I am using Next.js as a regular React app, meaning I am not using server actions for mutations. Instead, I am calling the backend directly from the client side of Next.js.

Here is my main question: When I send a request from the server-side components in Next.js to fetch data from the backend, will the cookies also be included in the request to the backend? I have noticed that when I send a request from the client side (e.g., from a component with the use client directive), the cookies are included.

open boneBOT
#

Hi @sacred stump. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

#

Based on the knowledge sources provided, I can address your question about handling secure cookies in Next.js with a NestJS backend, specifically focusing on the difference between client-side and server-side requests.

When making requests from server-side components in Next.js to your NestJS backend, the cookies are not automatically included in the request. This is because server-side components run on the Next.js server, which doesn't have direct access to the browser's cookies.

As mentioned in the Github issue comment (https://github.com/vercel/next.js/issues/52209#issuecomment-1621889571):

"Basically, it depends on where you are calling the API endpoint from; keep note that the server doesn't have direct access to the cookies because they are stored on the browser and are sent with a request made to an API endpoint from the client. Therefore, if you are calling the API endpoint from the client (i.e. Browser), the cookies are sent alongside the request. But, if you are calling the API endpoint from a server component or another API endpoint in your application, the cookies are not sent alongside the request, because the request is being sent from the SERVER and NOT the CLIENT!"

This explains why you're seeing the cookies included when making requests from the client-side components (those with the 'use client' directive), but not from server-side components.

To handle this situation, you have a few options:

  1. Pass cookies manually: You can pass the cookies from the client to the server-side component, and then include them in your request to the NestJS backend. The Next.js documentation on Accessing Request Object (https://nextjs.org/docs/app/building-your-application/upgrading/app-router-migration#accessing-request-object) shows how to access cookies in server components:
# 
import { cookies } from 'next/headers'

export default async function Page() {
  const cookieStore = cookies()
  const theme = cookieStore.get('theme')
  // Use the theme cookie in your request to the backend
}

  1. Use client-side data fetching: If the data you're fetching requires authentication, you might consider moving that data fetching to the client side where the cookies are automatically included.

  2. Implement a server-side solution: You could set up a system where your Next.js server maintains its own session with your NestJS backend, separate from the client-side authentication. This would be more complex but could provide better security and performance in some cases.

Remember that handling authentication securely can be complex, especially when dealing with server-side rendering and API routes. Always ensure you're following best practices for security, especially when dealing with authentication tokens.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: