Ory
Help Wanted: Bypassing NextAuth Middleware for Gmail & Stripe API Routes in Next.js/Nest Hybrid
#140
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi all,
We’re building a Next.js + NestJS hybrid app with BoxyHQ’s SaaS starter kit. It uses:
Next.js (frontend, middleware, NextAuth)
NestJS (backend API, mounted under /api/**)
Stripe (checkout, webhooks, subscriptions)
Google Gmail API integration (via NextAuth Google provider / service account)
Everything works fine when running in-browser with a logged-in user, but we’ve hit a roadblock:
The Problem:
-Any curl / CLI / Stripe CLI / Gmail API calls to routes like:
--GET /api/orders/session?sessionId=...
--POST /api/compliance/offers/checkout
--GET /api/gmail/messages
…get intercepted by NextAuth middleware. Instead of returning JSON, it 307-redirects to /auth/login?callbackUrl=....
That makes it impossible to:
Use Stripe CLI (stripe trigger …) against /api/webhooks/stripe (unless hacked around).
Call diagnostic endpoints like /api/orders/session with curl.
Integrate Gmail API fetchers (server-to-server) because middleware assumes everything must be a logged-in user.
What We Tried
Whitelisting routes in middleware.ts (/api/orders/, /api/webhooks/, /api/compliance/, /api/gmail/).
Passing cookies manually in curl:
curl "http://localhost:3002/api/orders/session?sessionId=cs_test_123"
-H "Cookie: next-auth.session-token=…"
This works, but defeats the purpose for automated systems like Stripe CLI or background workers.
Adding a dev-only bypass header (ugly hack, not suitable for prod).
Moving some checks down into NestJS (HmacGuard), but NextAuth middleware still intercepts before it hits Nest.
What We Need
A clean pattern for letting some /api/** routes bypass NextAuth middleware (Stripe webhooks, Gmail, diagnostics) while keeping the rest protected.
A way to call /api/orders/session or /api/gmail/messages without NextAuth cookies, but still secured (e.g. HMAC header, API key, service account).
Guidance on how to best wire NextAuth + NestJS so auth is enforced where needed, but doesn’t break machine-to-machine integrations.
Ask
If you’ve solved this or have ideas:
How do you structure middleware.ts allowlists for hybrid Next.js/Nest apps?
Do you secure “machine” routes with API keys, HMAC, or something else instead of NextAuth?
Any examples of Gmail API integration in a Next.js + Nest setup would be gold.
How do you test with Stripe CLI locally when NextAuth middleware blocks /api/webhooks/stripe?
We’d love contributions or pointers — whether it’s PRs, snippets, or just sharing your approach.
Thanks in advance 🙏
Beta Was this translation helpful? Give feedback.
All reactions