@redwood/api-server - Context creation failed

I am doing some self-hosted setup at moment and exploring using the API server. I have the web side working, but the API side I am having some issues with.

After performing a login on my web app.

I can see a request being made to .netlify/identity/token - which is 200 OK and see the token response.

Following that, another request to /.netlify/identity/user - 200 OK. I see a proper response with user data.

A request is then made to the api-server (redwood API) - 500 status. The response is

"errors":[ {"message":"Context creation failed: Cannot read property 'sub' of null",

I am not quite sure how to start to debug this issue, as the API server does not throw any exceptions or reveal any data. If there is any flags I can enable to show more debug logging - let me know.

To clarify: you intend to use Netlify Identity as your authentication provider, but not deploy your api on Netlify.

This might be problematic because of the way Netlify Identity handles the JWT and its decoding – especially in production vs dev.

While the web side may be talking to Netlify Identity via the widget, the api side relies on something else.

See: https://github.com/redwoodjs/redwood/blob/53349fd121f9198a8fdb5c0217cec8c4f8b6badd/packages/api/src/auth/decoders/netlify.ts#L8

export const netlify = (token: string, req: { context: LambdaContext }) => {
  // Netlify verifies and decodes the JWT before the request is passed to our Serverless
  // function, so the decoded JWT is already available in production.
  if (process.env.NODE_ENV === 'production') {
    const clientContext = req.context.clientContext as NetlifyContext
    return clientContext?.user || null
  } else {
    // We emulate the native Netlify experience in development mode.
    // We just decode it since we don't have the signing key.
    return jwt.decode(token)

In development mode, the decoder simply decodes the JWT and will then return the decoded claims such as sub (subscriber) which is the user id.

Note: What is important here is that in dev, the token is not verified. It’s signature is not checked, nor its expiration, etc.

But, in production, the decoder relies on the fact that Netlify’s implementation decodes and verifies the token for you and returns a user with those claims from the JWT.

This is likely why you get the

Cannot read property ‘sub’ of null

because the user is null because you don’t have access to the req.context.clientContext that Netlify provides when not deploying your api to Netlify.

I can think of some creative ways around this – and can discuss – but perhaps you may consider a different auth provider given it isn’t really using Netlify.

Ah, I feared this might be the case @dthyresson

Well, I was waiting for supabase v1.0 to try that out anyway, so this issue I guess means I will have to switch over to use their auth.

1 Like

Auth0 is also really great!

@peterp is it though? It seems hardly anyone in the redwood community is using it and seems to be the most complex to setup. Do you have a good experience with using it in the past? are there is any standout features that make it worth using?

Feel a bit stuck at the moment, since it looks like I can’t use netlify auth when self hosting, and supabase auth is waiting for v1 :tired_face: (that is what I was going to switch to)

First time trying these third party identity services and I’ve have a sour taste already :frowning:

@dthyresson can you outline some of these work arounds?