npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

avid-next-firebase-auth

v1.0.0-canary.15

Published

Simple Firebase authentication for all Next.js rendering strategies

Downloads

4

Readme

Build Status codecov npm Contributor Covenant

next-firebase-auth

Simple Firebase authentication for all Next.js rendering strategies.

DemoAlternativesGetting StartedAPIConfigTypesUpgrading to Firebase 9ExamplesTroubleshootingContributing

What It Does

This package makes it simple to get the authenticated Firebase user and ID token during both client-side and server-side rendering (SSR).

     🌍   Support for all Next.js rendering strategies
     🔒   Signed, secure, HTTP-only cookies by default
     🆔   Server-side access to the user's Firebase ID token
     🍪   Built-in cookie management
     ↩️   Built-in support for redirecting based on the user's auth status

We treat the Firebase JS SDK as the source of truth for auth status. When the user signs in, we call an endpoint to generate a refresh token and store the user info, ID token, and refresh token in cookies. Future requests to SSR pages receive the user info and ID token from cookies, refreshing the ID token as needed. When the user logs out, we unset the cookies.

Demo

See a live demo of the example app.

When (Not) to Use this Package

Depending on your app's needs, other approaches might work better for you.

If your app only uses static pages or doesn't need the Firebase user for SSR, use the Firebase JS SDK directly to load the user on the client side.

  • Pros: It's simpler and removes this package as a dependency.
  • Cons: You will not have access to the Firebase user when you use getServerSideProps.

If your app needs the Firebase user for SSR (but does not need the ID token server-side), you could consider one of these approaches:

  1. On the client, set a JavaScript cookie with the Firebase user information once the Firebase JS SDK loads.
    • Pros: You won't need login/logout API endpoints. You can structure the authed user data however you'd like.
    • Cons: The cookie will be unsigned and accessible to other JavaScript, making this approach less secure. You won't always have access to the Firebase ID token server-side, so you won't be able to access other Firebase services. (Note that you can set the ID token in the cookie, but it will expire after an hour and be invalid for future server-side-rendered pages.)
  2. Use Firebase's session cookies.
    • Pros: It removes this package as a dependency.
    • Cons: You won't have access to the Firebase ID token server-side, so you won't be able to access other Firebase services. You'll need to implement logic for verifying the session and managing session state.

This package will likely be helpful if you expect to use both static pages and SSR or if you need access to Firebase ID tokens server-side.

A quick note on what this package does not do:

  • It does not provide authentication UI. Consider firebasesui-web or build your own.
  • It does not extend Firebase functionality beyond providing universal access to the authed user. Use the Firebase admin SDK and Firebase JS SDK for any other needs.

Get Started

Install:

yarn add next-firebase-auth

Make sure peer dependencies are also installed:

yarn add firebase firebase-admin next react react-dom

Create a module to initialize next-firebase-auth.

Example config:

See config documentation for details

// ./initAuth.js
import { init } from 'next-firebase-auth'

const initAuth = () => {
  init({
    authPageURL: '/auth',
    appPageURL: '/',
    loginAPIEndpoint: '/api/login', // required
    logoutAPIEndpoint: '/api/logout', // required
    firebaseAuthEmulatorHost: 'localhost:9099',
    // Required in most cases.
    firebaseAdminInitConfig: {
      credential: {
        projectId: 'my-example-app-id',
        clientEmail: '[email protected]',
        // The private key must not be accesssible on the client side.
        privateKey: process.env.FIREBASE_PRIVATE_KEY,
      },
      databaseURL: 'https://my-example-app.firebaseio.com',
    },
    firebaseClientInitConfig: {
      apiKey: 'MyExampleAppAPIKey123', // required
      authDomain: 'my-example-app.firebaseapp.com',
      databaseURL: 'https://my-example-app.firebaseio.com',
      projectId: 'my-example-app-id',
    },
    cookies: {
      name: 'ExampleApp', // required
      // Keys are required unless you set `signed` to `false`.
      // The keys cannot be accessible on the client side.
      keys: [
        process.env.COOKIE_SECRET_CURRENT,
        process.env.COOKIE_SECRET_PREVIOUS,
      ],
      httpOnly: true,
      maxAge: 12 * 60 * 60 * 24 * 1000, // twelve days
      overwrite: true,
      path: '/',
      sameSite: 'strict',
      secure: true, // set this to false in local (non-HTTPS) development
      signed: true,
    },
  })
}

export default initAuth

Set the private environment variables FIREBASE_PRIVATE_KEY, COOKIE_SECRET_CURRENT, and COOKIE_SECRET_PREVIOUS in .env.local. If you have enabled the Firebase Authentication Emulator, you will also need to set the FIREBASE_AUTH_EMULATOR_HOST environment variable.

Initialize next-firebase-auth in _app.js:

// ./pages/_app.js
import initAuth from '../initAuth' // the module you created above

initAuth()

function MyApp({ Component, pageProps }) {
  return <Component {...pageProps} />
}

export default MyApp

Create login and logout API endpoints that set auth cookies:

// ./pages/api/login
import { setAuthCookies } from 'next-firebase-auth'
import initAuth from '../../initAuth' // the module you created above

initAuth()

const handler = async (req, res) => {
  try {
    await setAuthCookies(req, res)
  } catch (e) {
    return res.status(500).json({ error: 'Unexpected error.' })
  }
  return res.status(200).json({ success: true })
}

export default handler
// ./pages/api/logout
import { unsetAuthCookies } from 'next-firebase-auth'
import initAuth from '../../initAuth' // the module you created above

initAuth()

const handler = async (req, res) => {
  try {
    await unsetAuthCookies(req, res)
  } catch (e) {
    return res.status(500).json({ error: 'Unexpected error.' })
  }
  return res.status(200).json({ success: true })
}

export default handler

Finally, use the authenticated user in a page:

// ./pages/demo
import React from 'react'
import {
  useAuthUser,
  withAuthUser,
  withAuthUserTokenSSR,
} from 'next-firebase-auth'

const Demo = () => {
  const AuthUser = useAuthUser()
  return (
    <div>
      <p>Your email is {AuthUser.email ? AuthUser.email : 'unknown'}.</p>
    </div>
  )
}

// Note that this is a higher-order function.
export const getServerSideProps = withAuthUserTokenSSR()()

export default withAuthUser()(Demo)

API


init(config)

Initializes next-firebase-auth, taking a config object. Must be called before calling any other method.

withAuthUser({ ...options })(PageComponent)

A higher-order function to provide the AuthUser context to a component. Use this with any Next.js page that will access the authed user via the useAuthUser hook. Optionally, it can client-side redirect based on the user's auth status.

It accepts the following options:

| Option | Description | Default | | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | whenAuthed | The action to take if the user is authenticated. One of AuthAction.RENDER or AuthAction.REDIRECT_TO_APP. | AuthAction.RENDER | | whenUnauthedBeforeInit | The action to take if the user is not authenticated but the Firebase client JS SDK has not yet initialized. One of: AuthAction.RENDER, AuthAction.REDIRECT_TO_LOGIN, AuthAction.SHOW_LOADER. | AuthAction.RENDER | | whenUnauthedAfterInit | The action to take if the user is not authenticated and the Firebase client JS SDK has already initialized. One of: AuthAction.RENDER, AuthAction.REDIRECT_TO_LOGIN. | AuthAction.RENDER | | appPageURL | The redirect destination URL when we should redirect to the app. Can be a string or a function that receives { ctx } and returns a URL. | config.appPageURL | | authPageURL | The redirect destination URL when we should redirect to the login page. Can be a string or a function that receives { ctx } and returns a URL. | config.authPageURL | | LoaderComponent | The component to render when the user is unauthed and whenUnauthedBeforeInit is set to AuthAction.SHOW_LOADER. | null |

For example, this page will redirect to the login page if the user is not authenticated:

import { withAuthUser, AuthAction } from 'next-firebase-auth'

const DemoPage = () => <div>My demo page</div>

export default withAuthUser({
  whenUnauthedAfterInit: AuthAction.REDIRECT_TO_LOGIN,
  authPageURL: '/my-login-page/',
})(DemoPage)

Here's an example of a login page that shows a loader until Firebase is initialized, then redirects to the app if the user is already logged in:

import { withAuthUser, AuthAction } from 'next-firebase-auth'

const MyLoader = () => <div>Loading...</div>

const LoginPage = () => <div>My login page</div>

export default withAuthUser({
  whenAuthed: AuthAction.REDIRECT_TO_APP,
  whenUnauthedBeforeInit: AuthAction.SHOW_LOADER,
  whenUnauthedAfterInit: AuthAction.RENDER,
  LoaderComponent: MyLoader,
})(LoginPage)

For TypeScript usage, take a look here.

withAuthUserTokenSSR({ ...options })(getServerSidePropsFunc = ({ AuthUser }) => {})

A higher-order function that wraps a Next.js pages's getServerSideProps function to provide the AuthUser context during server-side rendering. Optionally, it can server-side redirect based on the user's auth status. A wrapped function is optional; if provided, it will be called with a context object that contains an AuthUser property.

It accepts the following options:

| Option | Description | Default | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- | | whenAuthed | The action to take if the user is authenticated. Either AuthAction.RENDER or AuthAction.REDIRECT_TO_APP. | AuthAction.RENDER | | whenUnauthed | The action to take if the user is not authenticated. Either AuthAction.RENDER or AuthAction.REDIRECT_TO_LOGIN. | AuthAction.RENDER | | appPageURL | The redirect destination URL when we should redirect to the app. Can be a string or a function that receives { ctx } and returns a URL. | config.appPageURL | | authPageURL | The redirect destination URL when we should redirect to the login page. Can be a string or a function that receives { ctx } and returns a URL. | config.authPageURL |

For example, this page will SSR for authenticated users, fetching props using their Firebase ID token, and will server-side redirect to the login page if the user is not authenticated:

import { withAuthUser, AuthAction } from 'next-firebase-auth'

const DemoPage = ({ thing }) => <div>The thing is: {thing}</div>

export const getServerSideProps = withAuthUserTokenSSR({
  whenUnauthed: AuthAction.REDIRECT_TO_LOGIN,
})(async ({ AuthUser }) => {
  // Optionally, get other props.
  const token = await AuthUser.getIdToken()
  const response = await fetch('/api/my-endpoint', {
    method: 'GET',
    headers: {
      Authorization: token,
    },
  })
  const data = await response.json()
  return {
    props: {
      thing: data.thing,
    },
  }
})

export default withAuthUser()(DemoPage)

withAuthUserSSR({ ...options })(getServerSidePropsFunc = ({ AuthUser }) => {})

Behaves nearly identically to withAuthUserTokenSSR, with one key difference: it does not validate an ID token. Instead, it simply uses the AuthUser data from a cookie. Consequently:

  • It does not provide an ID token on the server side. The AuthUser provided via context will resolve to null when you call AuthUser.getIdToken().
  • It does not need to make a network request to refresh an expired ID token, so it will, on average, be faster than withAuthUserTokenSSR.
  • It does not check for token revocation. If you need verification that the user's credentials haven't been revoked, you should always use withAuthUserTokenSSR.

⚠️ Do not use this when cookies.signed is set to false. Doing so is a potential security risk, because the authed user cookie values could be modified by the client.

This takes the same options as withAuthUserTokenSSR.

useAuthUser()

A hook that returns the current AuthUser. To use this, the Next.js page must be wrapped in withAuthUser. If the user is not authenticated, useAuthUser will return an AuthUser instance with a null id.

For example:

import { useAuthUser, withAuthUser } from 'next-firebase-auth'

const Demo = () => {
  const AuthUser = useAuthUser()
  return (
    <div>
      <p>Your email is {AuthUser.email ? AuthUser.email : 'unknown'}.</p>
    </div>
  )
}

export default withAuthUser()(DemoPage)

setAuthCookies(req, res)

Sets cookies to store the authenticated user's info. Call this from your "login" API endpoint.

Cookies are managed with cookies. See the config for cookie options.

The req argument should be an IncomingMessage / Next.js request object. The res argument should be a ServerResponse / Next.js response object. It requires that the Authorization request header be set to the Firebase user ID token, which this package handles automatically.

This can only be called on the server side.

unsetAuthCookies(req, res)

Unsets (expires) the auth cookies. Call this from your "logout" API endpoint.

The req argument should be an IncomingMessage / Next.js request object. The res argument should be a ServerResponse / Next.js response object.

This can only be called on the server side.

verifyIdToken(token) => Promise<AuthUser>

Verifies a Firebase ID token and resolves to an AuthUser instance. This serves a similar purpose as Firebase admin SDK's verifyIdToken.

AuthAction

An object that defines rendering/redirecting options for withAuthUser and withAuthUserTokenSSR. See AuthAction.

getFirebaseAdmin() => FirebaseAdmin

Added in v0.13.1

A convenience function that returns the configured Firebase admin module.

This can only be called from the server side. It will throw an error if called from the client side.

For example:

import { getFirebaseAdmin } from 'next-firebase-auth'
// ...other imports

const Artist = ({ artists }) => {
  return (
    <ul>
      {artists.map((artist) => (
        <li>{artist.name}</li>
      ))}
    </ul>
  )
}

export async function getServerSideProps({ params: { id } }) {
  const db = getFirebaseAdmin().firestore()
  const doc = await db.collection('artists').get()
  return {
    props: {
      artists: artists.docs.map((a) => {
        return { ...a.data(), key: a.id }
      }),
    },
  }
}

export default withAuthUser()(Artist)

Config

See an example config here. Provide the config when you call init.

authPageURL: The default URL to navigate to when withAuthUser or withAuthUserTokenSSR need to redirect to login. Can be a string or a function that receives { ctx } and returns a URL. Optional unless using the AuthAction.REDIRECT_TO_LOGIN auth action.

appPageURL: The default URL to navigate to when withAuthUser or withAuthUserTokenSSR need to redirect to the app. Can be a string or a function that receives { ctx } and returns a URL. Optional unless using the AuthAction.REDIRECT_TO_APP auth action.

loginAPIEndpoint: The API endpoint this module will call when the auth state changes for an authenticated Firebase user. Must be set unless tokenChangedHandler is set.

logoutAPIEndpoint: The API endpoint this module will call when the auth state changes for an unauthenticated Firebase user. Must be set unless tokenChangedHandler is set.

tokenChangedHandler: A callback that runs when the auth state changes for a particular user. Use this if you want to customize how your client-side app calls your login/logout API endpoints (for example, to use a custom fetcher or add custom headers). tokenChangedHandler receives an AuthUser as an argument and is called when the user's ID token changes, similarly to Firebase's onIdTokenChanged event.

If this callback is specified, user is responsible for:

  1. Calling their login/logout endpoints depending on the user's auth state.
  2. Passing the user's ID token in the Authorization header
  3. Ensuring it allows the request to set cookies.

Cannot be set with loginAPIEndpoint or logoutAPIEndpoint.

firebaseAuthEmulatorHost: The host and port for the local Firebase Auth Emulator. If this value is set, the auth emulator will be initialized with the provided host and port.

Must be exactly the same as the value of the FIREBASE_AUTH_EMULATOR_HOST environment variable, e.g., localhost:9099.

firebaseAdminInitConfig

Configuration passed to firebase-admin's initializeApp. It should contain a credential property (a plain object) and a databaseURL property. Required unless you initialize firebase-admin yourself before initializing next-firebase-auth.

The firebaseAdminInitConfig.credential.privateKey cannot be defined on the client side and should live in a secret environment variable.

Note: if using environent variables in Vercel, add the private key with double quotes via the CLI:

vercel secrets add firebase-private-key '"my-key-here"'

Then, use JSON.parse in the firebaseAdminInitConfig.credential.privateKey property:

  privateKey: process.env.FIREBASE_PRIVATE_KEY
    ? JSON.parse(process.env.FIREBASE_PRIVATE_KEY)
    : undefined

See this Vercel issue for more information.

firebaseClientInitConfig: Configuration passed to the Firebase JS SDK's initializeApp. The "firebaseClientInitConfig.apiKey" value is always required. Other properties are required unless you initialize the firebase app yourself before initializing next-firebase-auth.

cookies

Settings used for auth cookies. We use cookies to manage cookies.

Properties include:

  • name: Used as a base for cookie names: if name is set to "MyExample", cookies will be named MyExample.AuthUser and MyExample.AuthUserTokens (plus MyExample.AuthUser.sig and MyExample.AuthUserTokens.sig if cookies are signed). Required.
  • keys: An array of strings that will be used to sign cookies; for instance, ['xD$WVv3qrP3ywY', '2x6#msoUeNhVHr']. As these strings are secrets, provide them via secret environment variables, such as [ process.env.COOKIE_SECRET_CURRENT, process.env.COOKIE_SECRET_PREVIOUS ]. The keys array is passed to the Keygrip constructor as described in the cookies package. Required unless signed is set to false.
  • All options for cookies.set.

The keys value cannot be defined on the client side and should live in a secret environment variable.

For security, the maxAge value must be two weeks or less. Note that maxAge is defined in milliseconds.

Note: The cookies' expirations will be extended automatically when the user loads the Firebase JS SDK.

The Firebase JS SDK is the source of truth for authentication, so if the cookies expire but the user is still authed with Firebase, the cookies will be automatically set again when the user loads the Firebase JS SDK—but the user will not be authed during SSR on that first request.

Types

AuthAction

Defines actions to take depending on on a user's auth status, using the following constants:

AuthAction.RENDER: render the child component

AuthAction.SHOW_LOADER: show a loader component

AuthAction.RETURN_NULL: return null instead of any component

AuthAction.REDIRECT_TO_LOGIN: redirect to the login page

AuthAction.REDIRECT_TO_APP: redirect to the app

AuthUser

The auth user object used across server- and client-side contexts. This is a normalized representation of a Firebase user.

id - String|null

The Firebase user's ID, or null if the user is not authenticated.

email - String|null

The Firebase user's email address, or null if the user has no email address.

emailVerified - Boolean

Whether the user's email address is verified.

phoneNumber - String|null

Added in v0.13.1

The Firebase user's phone number, or null if the user has no phone number.

displayName - String|null

Added in v0.13.1

The Firebase user's display name, or null if the user has no display name.

photoURL - String|null

Added in v0.13.1

The Firebase user's photo URL, or null if the user has no photo URL.

claims - Object

Added in v0.13.0

Any custom Firebase claims.

getIdToken - Function => Promise<String|null>

An async function that resolves to a valid Firebase ID token string, or null if no valid token is available.

clientInitialized - Boolean

Whether the Firebase JS SDK has initialized. If true, we are no longer using any user info from server-side props.

firebaseUser - FirebaseUser|null

The user from the Firebase JS SDK, if it has initialized. Otherwise, null.

signOut - Function => Promise<void>

A method that calls Firebase's signOut if the Firebase JS SDK has initialized. If the SDK has not initialized, this method is a noop.

Upgrading to Firebase 9

Firebase 9 has a new API surface designed to facilitate tree-shaking (removal of unused code) to make your web app as small and fast as possible.

If you were previously using version 7 of 8 of the SDK you can easily upgrade by following the official guide.

Here is an example of how the migration might look in your app:

-import firebase from 'firebase/app'
-import 'firebase/firestore'
+import { getApp } from 'firebase/app'
+import { getFirestore, collection, onSnapshot } from 'firebase/firestore'
 import { useEffect } from 'react'

 const Artists = () => {
   const [artists, setArtists] = useState(artists)

   useEffect(() => {
-    return firebase.firestore()
-      .collection('artists')
-      .onSnapshot((snap) => {
+    return onSnapshot(collection(getFirestore(getApp()), 'artists'), (snap) => {
       if (!snap) {
         return
       }
       setArtists(snap.docs.map((doc) => ({ ...doc.data(), key: doc.id })))
     })
   }, [])

   return (
     <div>
       {artists.map((artist) => (
         <div>{artist.name}</div>
       ))}
     </div>
   )
 }

Examples

Using the Firebase Apps

You may want to access the Firebase admin module or Firebase JS SDK.

To use the Firebase admin module, you can use getFirebaseAdmin. (If you prefer, you can instead choose to initialize Firebase yourself prior to initializing next-firebase-auth. Here's some example code with this pattern.)

To use the Firebase JS SDK, simply import Firebase as you normally would. For example:

import { getApp } from 'firebase/app'
import { getFirestore, collection, onSnapshot } from 'firebase/firestore'
import { useEffect } from 'react'

const Artists = () => {
  const [artists, setArtists] = useState(artists)

  useEffect(() => {
    return onSnapshot(collection(getFirestore(getApp()), 'artists'), (snap) => {
      if (!snap) {
        return
      }
      setArtists(snap.docs.map((doc) => ({ ...doc.data(), key: doc.id })))
    })
  }, [])

  return (
    <div>
      {artists.map((artist) => (
        <div>{artist.name}</div>
      ))}
    </div>
  )
}

TypeScript

When using withAuthUser with TypeScript, use TypeScript Generics. For example:

// /pages/demo.tsx
import { VFC } from 'react'
import { Loading } from 'components/Loading/Loading'
import { AuthAction, withAuthUser } from 'next-firebase-auth'

type DemoDataType = {
  name: string
}

const Demo: VFC<DemoDataType> = ({ name }) => {
  return <div>Hello {name}!</div>
}

export default withAuthUser<DemoDataType>({ // <--- Ensure that the type is provided
  whenUnauthedBeforeInit: AuthAction.SHOW_LOADER,
  whenUnauthedAfterInit: AuthAction.REDIRECT_TO_LOGIN,
  LoaderComponent: Loading,
})(Demo)

For a full example with server-side data fetching, see the TypeScript demo page in the example app.

Dynamic Redirects

This package makes it easy to redirect to a login page or app page depending on whether a user is logged in. The destination URLs can also be dynamic: the authPageURL and appPageURL properties, used in the config and higher-order components, can be functions that receive { ctx } and return a URL.

The example app uses this to set a post-login destination URL:

// ./utils/initAuth.js
import { init } from 'next-firebase-auth'
import absoluteUrl from 'next-absolute-url'

const initAuth = () => init({
  // This demonstrates setting a dynamic destination URL when
  // redirecting from app pages. Alternatively, you can simply
  // specify `authPageURL: '/auth-ssr'`.
  authPageURL: ({ ctx }) => {
    const isServerSide = typeof window === 'undefined'
    const origin = isServerSide
      ? absoluteUrl(ctx.req).origin
      : window.location.origin
    const destPath =
      typeof window === 'undefined' ? ctx.resolvedUrl : window.location.href
    const destURL = new URL(destPath, origin)
    return `auth-ssr?destination=${encodeURIComponent(destURL)}`
  },

  // This demonstrates setting a dynamic destination URL when
  // redirecting from auth pages. Alternatively, you can simply
  // specify `appPageURL: '/'`.
  appPageURL: ({ ctx }) => {
    const isServerSide = typeof window === 'undefined'
    const origin = isServerSide
      ? absoluteUrl(ctx.req).origin
      : window.location.origin
    const params = isServerSide
      ? new URL(ctx.req.url, origin).searchParams
      : new URLSearchParams(window.location.search)
    const destinationParamVal = params.get('destination')
      ? decodeURIComponent(params.get('destination'))
      : undefined

    // By default, go to the index page if the destination URL
    // is invalid or unspecified.
    let destURL = '/'
    if (destinationParamVal) {
      // Verify the redirect URL host is allowed.
      // https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect
      const allowedHosts = ['localhost:3000', 'nfa-example.vercel.app']
      const allowed =
        allowedHosts.indexOf(new URL(destinationParamVal).host) > -1
      if (allowed) {
        destURL = destinationParamVal
      } else {
        // eslint-disable-next-line no-console
        console.warn(
          `Redirect destination host must be one of ${allowedHosts.join(
            ', '
          )}.`
        )
      }
    }
    return destURL
  },

  // ... other config
}

export default initAuth

Testing and Mocking with Jest

In order to test components wrapped with functions from next-firebase-auth, you will likely want to mock the next-firebase-auth library. This can be achieved using the manual mocks feature of Jest.

It can be helpful to define default mock behavior of next-firebase-auth across your tests. To do so, stub out the module in a top-level __mocks__ folder (alongside the node_modules in your application):

├── __mocks__
│   └── next-firebase-auth
│       └── index.js
├── node_modules
│   └── ... all your deps
├── src
│   └── ... all your source code

In index.js, export a mock of next-firebase-auth:

const { AuthAction } = require('next-firebase-auth')
const NFAMock = jest.createMockFromModule('next-firebase-auth')

module.exports = {
  ...NFAMock,
  // Customize any mocks as needed.
  init: jest.fn(),
  // For example, in tests, this will automatically render the child component of
  // `withAuthUser`.
  withAuthUser: jest.fn(() => (wrappedComponent) => wrappedComponent),
  useAuthUser: jest.fn(() => ({
    // ... you could return a default AuthUser here
  }),
  AuthAction,
}

See our implementation of this in our tab-web repository for a more robust example.

You will also likely want to have a utility to mock the AuthUser object that is passed around via the hooks and higher-order functions in next-firebase-auth. You might put this in a utils folder in your app.

// Create a mock FirebaseUser instance with the fields that you use.
const mockFirebaseUser = {
  displayName: 'Banana Manana',
  // ... other fields from firebaseUser that you may use
}

/**
 * Build and return a dummy AuthUser instance to use in tests.
 *
 * @arg {boolean} isLoggedIn - Pass `false` to mimic a logged out user.
 * @returns {AuthUserContext} - A mocked AuthUser instance, with 'serialize' added.
 */
const getMockAuthUser = (isLoggedIn = true) => ({
  id: isLoggedIn ? 'abcd1234' : null,
  email: isLoggedIn ? '[email protected]' : null,
  emailVerified: isLoggedIn,
  getIdToken: jest.fn(async () => (isLoggedIn ? 'i_am_a_token' : null)),
  clientInitialized: isLoggedIn,
  firebaseUser: isLoggedIn ? mockFirebaseUser : null,
  signOut: jest.fn(),
  serialize: jest.fn(() => 'serialized_auth_user'),
})

export default getMockAuthUser

Now, you can use and customize the mock behavior in your tests.

If you're modifying higher-order functions, component being tested needs to be required inside a beforeEach function or inside each test case. This is because mocking next-firebase-auth has to happen before your component is imported, because the call to the next-firebase-auth function is part of the default export of your component (e.g., export default withAuthUser()(MyComponent)).

Given the following component:

import React from 'react'
import { useAuthUser, withAuthUser } from 'next-firebase-auth'

function UserDisplayName() {
  const AuthUser = useAuthUser()
  const { displayName = 'anonymous' } = AuthUser.firebaseUser
  return <span>{displayName}</span>
}

export default withAuthUser()(UserDisplayName)

you can write a test suite like this:

import { render, screen } from '@testing-library/react'

// Import the functions that the component module calls, which allows jest to mock them
// in the context of this test run. This allows you to manipulate the return value of each
// function within this test suite.
import { useAuthUser, withAuthUser } from 'next-firebase-auth'

// Import your mock AuthUser generator
import getMockAuthUser from '../../utils/test-utils/get-mock-auth-user'

// Mock all of `next-firebase-auth`. This is *not* necessary if you set up manual mocks,
// because Jest will automatically mock the module in every test.
jest.mock('next-firebase-auth')

describe('UserDisplayName', () => {

  // Create a placeholder for your component that you want to test
  let UserDisplayName

  beforeEach(() => {
    // Mock the functions that your component uses, and import your component before each test.
    useAuthUser.mockReturnValue(getMockAuthUser())
    withAuthUser.mockImplementation(() => (wrappedComponent) => wrappedComponent))
    UserDisplayName = require('./').default
  })

  afterAll(() => {
    // Reset the mocks so that they don't bleed into the next test suite.
    jest.resetAllMocks()
  })

  it('renders the logged in user\'s display name', () => {
    // The default value for the mocked implementation of `withAuthUser` is a fully logged in and verified
    // user. Rendering your component directly with the setup above will result in a "logged in" user being
    // passed to your component.
    render(<UserDisplayName />)
    expect(screen.queryByTest(getMockAuthUser().firebaseUser.displayName)).toBeInTheDocument()
  })

  it('renders "anonymous" when user is not logged in', () => {
    // If you want to test a "logged out" state, then you can mock the function again inside any test,
    // passing a falsy value to `getMockAuthUser`, which will return a logged out AuthUser object.
    useAuthUser.mockReturnValue(getMockAuthUser(false))
    render(<Header />)
    expect(screen.getByText('anonymous')).toBeInTheDocument()
  })
})

Mocks and Typescript

When using TypeScript for your test files, you will have to cast the mocked functions to get access to the mockImplementation and mockReturnValue methods. If we were to rewrite the above example in TS, it might look something like this:

import type { ComponentType } from 'react'
import { render, screen } from '@testing-library/react'

// Import the functions that the component module calls, which allows jest to mock them
// in the context of this test run. This allows you to manipulate the return value of each
// function within this test suite.
import { useAuthUser, withAuthUser } from 'next-firebase-auth'

// Import your mock AuthUser generator
import getMockAuthUser from '../../utils/test-utils/get-mock-auth-user'

// Mock all of `next-firebase-auth`. This is *not* necessary if you set up manual mocks,
// because Jest will automatically mock the module
jest.mock('next-firebase-auth')

describe('UserDisplayName', () => {

  // Create a placeholder for your component that you want to test
  let UserDisplayName: ComponentType

  beforeEach(() => {
    // Mock the functions that your component uses, and import your component before each test.
    (useAuthUser as jest.Mock).mockReturnValue(getMockAuthUser())
    (withAuthUser as jest.Mock).mockImplementation(() => (wrappedComponent: ComponentType) => wrappedComponent: ComponentType))
    UserDisplayName = require('./').default as ComponentType
  })

  afterAll(() => {
    // Reset the mocks so that they don't bleed into the next test suite.
    jest.resetAllMocks()
  })

  it('renders the logged in user\'s display name', () => {
    // The default value for the mocked implementation of `withAuthUser` is a fully logged in and verified
    // user. Rendering your component directly with the setup above will result in a "logged in" user being
    // passed to your component.
    render(<UserDisplayName />)
    expect(screen.getByText(getMockAuthUser().firebaseUser.displayName)).toBeInTheDocument()
  })

  it('renders "anonymous" when user is not logged in', () => {
    // If you want to test a "logged out" state, then you can mock the function again inside any test,
    // passing a falsy value to `getMockAuthUser`, which will return a logged out AuthUser object.
    (useAuthUser as jest.Mock).mockReturnValue(getMockAuthUser(false))
    render(<Header />)
    expect(screen.getByText('anonymous')).toBeInTheDocument()
  })
})

Troubleshooting

Stuck? Search discussions or open your own Q&A discussion describing what you've already tried.

I get the error "[Some setting] should not be available on the client side."

We expect certain sensitive config values to be falsy on the client side (see the config validation code). This is a precaution to make sure developers aren't accidentally bundling something like their Firebase private key with client JS.

To fix this, ensure the config setting is undefined on the client side by logging it to your browser console. You can use Next's .env support to set server-only variables. Never use the NEXT_PUBLIC* prefix for any secret values.

I get an "INVALID_CUSTOM_TOKEN" error when trying to get a refresh token.

This package will call a Google endpoint when it needs to refresh a token server-side. You're seeting an error in that request.

To fix this, confirm that your firebaseAdminInitConfig.credential.clientEmail is correct. It should be the email paired with your Firebase private key.

If that doesn't help, try inspecting the custom token to manually validate the values and structure. Some people encounter this problem when their server time is incorrect.

Server-side auth is not working. The user and token are always null when using withAuthUserTokenSSR, but client-side auth works.

If auth is working on the client side but not on the server-side, the auth cookies are most likely not set.

To fix this, confirm the auth cookies are set in your browser's dev tools. If they're not set, please check that the secure, sameSite, and path options passed in the next-firebase-auth config make sense for your environment. For example, if you're testing on non-HTTPS localhost, make sure secure is false.

In addition, please double-check your server logs for any errors to ensure the Firebase admin app is initializing properly.

Limitations & Feedback

We expect some apps will need some features that are not currently available:

  • Supporting custom session logic: Currently, this package doesn't allow using a custom cookie or session module. Some developers may need this flexibility to, for example, keep auth user data in server-side session storage.
  • Setting a single auth cookie: This package currently sets more than one cookie to store authentication state. It's not currently possible to use a single cookie with a customized name: #190

We'd love to hear your feedback on these or other features. Please feel free to open a discussion!

Contributing

We welcome contributions! Please see contributing docs to get started.