next-auth callbacks authorized never called

Question

Using the following NextAuthConfig (with some areas redacted), I cannot get callbacks.authorized to fire.

It is mentioned in the official docs https://authjs.dev/reference/next-auth#authorized with some kind of dependency on middleware, though that does not seem clear to me. Any ideas?

const authOptions: NextAuthConfig = {
    trustHost: true,
    session: {
        strategy: 'jwt',
    },
    providers: [
        CredentialsProvider({
            id: 'mycompany',
            name: 'mycompany',
            type: 'credentials',
            authorize: authorize as any,
            credentials: {
                email: { label: 'Email', type: 'text', placeholder: '[email protected]' },
                password: { label: 'Password', type: 'password' },
            },
        }) as any,
    ],
    pages: {
        signIn: '/auth/signin',
    },
    callbacks: {
        async authorized({ auth, request: { nextUrl } }) {
            throw new Error('this never happens')
        },
        redirect: ({ baseUrl, url }: any) => {
            // snip (works)
        },
        async jwt({ token, ...params }: any) {
            // snip (works)
        },
        async session({ session, ...params }: any) {
            // snip (works)
        },
    }
}

export default authOptions
async function authorize(credentials?: { email?: string; password?: string }) {
 // snip (works)
}

middleware.ts

import { getSubdomainFromHost } from '@mycompany/shared/helpers/url';
import { NextResponse, type NextFetchEvent, type NextRequest } from 'next/server';
import { getLogger } from './lib/getLogger';

const logger = getLogger()

// export const config = {
//  matcher: [
//    /*
//     * Match all request paths except for the ones starting with:
//     * - api (API routes)
//     * - _next/static (static files)
//     * - _next/image (image optimization files)
//     * - favicon.ico (favicon file)
//     */
//    {
//      source: '/((?!_next/static|_next/image|favicon.ico|icons|logo).*)',
//      missing: [
//        { type: 'header', key: 'next-router-prefetch' },
//        { type: 'header', key: 'purpose', value: 'prefetch' },
//      ],
//    },
//  ],
// }

export function middleware(request: NextRequest, _next: NextFetchEvent) {
    const headers = new Headers(request.headers)
    headers.set('x-forwarded', request.url)
    headers.set('x-base-url', `${request.nextUrl.protocol}://${request.nextUrl.host}`)
    // const nextUrl = request.nextUrl
    const host = request.headers.get('host')
    // const pathname = nextUrl.pathname
    const subdomain = getSubdomainFromHost(host)
    if(subdomain) {
        headers.set('x-subdomain', subdomain)
    }

     

    logger.debug(`[Middleware] NextResponse.next: `, request.url)
    return NextResponse.next({
        request: {
            headers,
        },
    })
}

npm versions:

"next": "14.2.3",
"next-auth": "5.0.0-beta.17",

Answer 1

As mentioned, the authorized method will only execute when auth is referenced inside your middleware file but the middleware file has be correctly set up in the first place. I had a similar issue with my middleware file being at the root of my project while it should have been inside my src folder. It might apply to your situation.

According to the Next.js Middleware documentation:

Use the file middleware.ts (or .js) in the root of your project to define Middleware. For example, at the same level as pages or app, or inside src if applicable.