gotchatypescriptnextjsCritical
Next.js 16 deprecated middleware.ts breaks iron-session auth
Viewed 0 times
Next.js 16.1.6
middleware deprecatedproxy conventiongetIronSession hangingsilent timeoutroute protection
Error Messages
Problem
Next.js 16 deprecated the
middleware.ts convention in favor of proxy. When using iron-session with getIronSession() in middleware, requests silently hang with no error output. The middleware appears to load but never completes, causing all matched routes to timeout.Solution
Remove
middleware.ts entirely and use route-level auth checks instead. Create requireWorker() and requireManager() helper functions in your auth module that call getSession() and redirect() if unauthorized. Call these in server components and route handlers directly. For client-side pages, the API routes they call should check session.role. This approach is more explicit and works reliably in Next.js 16.Why
Next.js 16 deprecated middleware.ts and the edge runtime it runs in may no longer properly support iron-session's cookie-based session resolution. The middleware loads but getIronSession() never resolves, causing requests to hang indefinitely with no error logged.
Code Snippets
Route-level auth helpers replacing middleware
// src/lib/auth.ts
import { redirect } from 'next/navigation';
export async function requireWorker() {
const session = await getSession();
if (session.role !== 'worker') redirect('/login');
return session;
}
export async function requireManager() {
const session = await getSession();
if (session.role !== 'manager') redirect('/manager/login');
return session;
}
// Usage in server component:
export default async function WorkerPage() {
const session = await requireWorker();
// ...
}Context
When upgrading to or initializing a new Next.js 16 project with iron-session middleware for route protection
Revisions (0)
No revisions yet.