CLIENT_FETCH_ERROR when requesting to /api/auth/session, reason: read ECONNRESET

[italodeandra]

When opening any private page (pages that rely on the session) I get this error on the first time I load them.

But this only happens on the first time I load a private page right when I start the application, after this first load it doesn't happen again on the same page.

[next-auth][error][CLIENT_FETCH_ERROR] 
https://next-auth.js.org/errors#client_fetch_error request to http://localhost:3000/api/auth/session failed, reason: read ECONNRESET {
  error: {
    message: 'request to http://localhost:3000/api/auth/session failed, reason: read ECONNRESET',
    stack: 'FetchError: request to http://localhost:3000/api/auth/session failed, reason: read ECONNRESET\n' +
      '    at ClientRequest.<anonymous> (C:\\Users\\Italo\\WebstormProjects\\trackfy\\node_modules\\node-fetch\\lib\\index.js:1461:11)\n' +
      '    at ClientRequest.emit (node:events:390:28)\n' +
      '    at ClientRequest.emit (node:domain:475:12)\n' +
      '    at Socket.socketErrorListener (node:_http_client:447:9)\n' +
      '    at Socket.emit (node:events:390:28)\n' +
      '    at Socket.emit (node:domain:475:12)\n' +
      '    at emitErrorNT (node:internal/streams/destroy:157:8)\n' +
      '    at emitErrorCloseNT (node:internal/streams/destroy:122:3)\n' +
      '    at processTicksAndRejections (node:internal/process/task_queues:83:21)',
    name: 'FetchError'
  },
  path: 'session',
  header: {
    host: 'localhost:3000',
    connection: 'keep-alive',
    'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"',
    'sec-ch-ua-mobile': '?0',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36',
    'sec-ch-ua-platform': '"Windows"',
    accept: '*/*',
    'sec-fetch-site': 'same-origin',
    'sec-fetch-mode': 'cors',
    'sec-fetch-dest': 'empty',
    referer: 'http://localhost:3000/panel/movies/61a4ea70be27d0d0d6ee2da9',
    'accept-encoding': 'gzip, deflate, br',
    'accept-language': 'en-US,en;q=0.9,pt-BR;q=0.8,pt;q=0.7',
    cookie: 'appDrawer=true; theme=%7B%22mode%22%3A%22dark%22%7D; next-auth.csrf-token=ad110bcb8327023106285f5fcc4f7f604d252a566eb2a47fefb95d978f4faaa3%7C93b15d8b1a2da602c2380584c69c409dbb7513ccc19bbe600fd11401e22234c5; next-auth.callback-url=http%3A%2F%2Flocalhost
%3A3000%2Fsign-in; next-auth.session-token=e12946ce-d428-45b2-8c39-e7d74ba4f12e; appBar=true'
  },
  message: 'request to http://localhost:3000/api/auth/session failed, reason: read ECONNRESET'
}`

I have no idea what it might be.

Is getSession problematic when using on getServerSideProps?

[balazsorban44]

have a minimal reproduction?

[smeijer]

Regarding the use case @statico describes;

This library's getSession util uses fetch to request the user (/session) from the auth api route. The api route then decodes the jwt token which is stored in a session cookie, and sends the session object back as json. This makes zero sense if we're already on the server. Ideally, the function should have been isomorphic.

To fix the issues we were experiencing, I've created a simple getSessionFromCookie util that reads the session cookie, and decodes the jwt token from that without the extra round trip.

TLDR: don't use getSession on the server!

IMO: getSession should either be made isomorphic or throw when it's called on the server.

[JavierMartinz]

Could you share that getSessionFromCookie util, 🙏 ? Thanks!

[italodeandra]

@smeijer Post your solution as an answer so I can mark it as "the" answer. My own approach was to remove next-auth entirely so your solution might be better for future reference.

[JavierMartinz]

Yes, please @smeijer :)

[smeijer]

Sorry, totally slipped my mind. Here you go #3330 (comment)

Again, not saying it's fault-free. It supports our use case. So feel free to adjust it to your needs and to share your improvements.

[smeijer]

Is getSession problematic when using on getServerSideProps?

It might. getSession is meant to run on the client. As it uses fetch to request the user object from the session API route (/api/auth/session) managed by next-auth, a single page request can result in multiple network requests if getServerSideProps uses getSession to obtain the user information. Every time you'll invoke getSession, the server will execute another network request against itself.

My way to bypass this problem, was to create a getSessionFromCookie helper. A small function that reads the JWT token from the cookie header, and decodes that instead.

I'm not saying my solution is the best or fault-free. It supports our use case. Please adjust as you seem fit.

import * as jwt from "next-auth/jwt"
import { NextApiRequestCookies } from "next/dist/server/api-utils"

/**
 * Reads the JWT token from the next-auth session cookie, and returns the
 * session object by decoding the token. Returns null if the JWT token is absent
 * or invalid
 */
export async function getSessionFromCookie({
  req,
}: {
  req: { cookies: NextApiRequestCookies }
}) {
  try {
    // The cookie name differs between http and https urls. Also see here:
    // https://github.com/nextauthjs/next-auth/blob/50fe115df6379fffe3f24408a1c8271284af660b/src/core/lib/cookie.ts#L56-L60
    const isSecure = process.env.NEXT_PUBLIC_BASE_URL?.startsWith("https://")
    const cookiePrefix = isSecure ? "__Secure-" : ""
    const sessionToken = req.cookies?.[`${cookiePrefix}next-auth.session-token`]

    // decode will throw when the token is invalid
    const decoded = await jwt.decode({
      token: sessionToken,
      secret: String(process.env.COOKIE_SECRET_KEY),
    })

    if (!decoded) return null

    return {
      user: { id: String(decoded.sub) },
      expires: new Date(Number(decoded.exp) * 1000).toISOString(),
    }
  } catch {
    return null
  }
}

[oogunjob]

This worked for me!

[Derviloper]

The documentation says that the getSession function can be used either in the client or on the server (https://next-auth.js.org/getting-started/client#getsession). useSession can only be used in the client.
I also had this problem and found out what the problem was.
I had another process running which used the default port 3000 but next.js didn't recognize this and still used the port.
On MacOS I checked this by using the following command: netstat -vanp tcp | grep 3000
After I killed the process it worked.

[davevilela]

my implementation for database sessions using prisma adapter:

type Ctx = {
  req: IncomingMessage;
};

const getUserAndSession = async (sessionToken: string): Promise<Session> => {
  const { session, user } = await prismaAdapter.getSessionAndUser(sessionToken);
  if (session && user) {
    return {
      expires: session.expires.toString(),
      user,
    };
  }
  return undefined;
};

const getToken = async (ctx: Ctx) => {
  const cookies = parseCookies(ctx.req);
  const token = cookies['next-auth.session-token'];
  if (!token) return undefined;
  return getUserAndSession(token);
};

parseCookies.ts:

export function parseCookies(request: IncomingMessage): Record<string, any> {
  const list = {};
  const cookieHeader = request.headers?.cookie;
  if (!cookieHeader) return list;

  cookieHeader.split(`;`).forEach(function (cookie) {
    // eslint-disable-next-line prefer-const
    let [name, ...rest] = cookie.split(`=`);
    name = name?.trim();
    if (!name) return;
    const value = rest.join(`=`).trim();
    if (!value) return;
    list[name] = decodeURIComponent(value);
  });

  return list;
}

[Rafcin]

Just thought I'd drop this here; it might help. Someone mentioned switching the NEXTAUTH_URL to http://127.0.0.1:3000, and this solves any issues with the session. Why does this work?

This works to an extent. I don't know if anyone is running into this but when I try to use next-auth my dev session just crashes without any errors.

[jvillalbaj2lc]

Works like CHARRRRMMMM!!!

[cvega]

Curious about this too, I see the following on localhost despite the fact I can hit localhost and get a json response.

[next-auth][error][CLIENT_FETCH_ERROR] 
https://next-auth.js.org/errors#client_fetch_error fetch failed {
  error: {
    message: 'fetch failed',
    stack: 'TypeError: fetch failed\n' +
      '    at Object.fetch (node:internal/deps/undici/undici:14152:11)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)',
    name: 'TypeError'
  },
  url: 'http://localhost:3000/api/auth/session',
  message: 'fetch failed'
}

When I change NEXTAUTH_URL=http://127.0.0.1:3000 everything seems to work just fine.

[sarzeez]

thanks, bro! It worked after changing to NEXTAUTH_URL=http://127.0.0.1:3000

[benitazhang]

Thanks! This works for me as well but does anyone have some insight into why?

[KirschX]

For me, It was 'getSession' mistakenly used in serverside. I replaced it to 'getServerSession' and problem solved. Hope it would help anyone.

[aamon40]

A combination of this and replacing 'getSession' with 'getToken' did the trick in my case. Thanks for the help.

[sygmaticKyle]

Posting here just in case it helps someone, I had a slew of problems.
I was coming from an older version of next to v13, and adding next auth at the same time.

ISSUE #1
Step 1
My issue was due to the fact that my package.json build script was "build": "next build && next export"
Switching it to just "build": "next build" fixed it due to what is below...

nextjs even output this nice warning below that I didn't read until I had spent far to much time trying to resolve this.

warn Statically exporting a Next.js application via `next export` disables API routes and middleware.
This command is meant for static-only hosts, and is not necessary to make your application static

... next export disables API routes... aka /api/auth/session

Step 2
Needed to update my build script in amplify since it was looking for the /out exports from next export. Now the files from the builds are in the .next directory.

ISSUE #2
Amplify had been setup for v11 need to migrate
Followed this doc to migrate

ISSUE #3
Needed to remove old redirects: aws-amplify/amplify-hosting#3168 (comment)

ISSUE #4
Setting the env vars so that they were accessible from SSR rendering (which is were the auth gets compiled). I tried many other ways but wasn't working for me.
https://docs.aws.amazon.com/amplify/latest/userguide/ssr-environment-variables.html

[shivampip]

I was running nextjs project on a port other than 3000, say 4200. we need to communicate this info to next-auth.
so adding this in .env resolved the issue for me.

NEXTAUTH_URL_INTERNAL="http://localhost:4200"

[shivampip]

I was running nextjs project on a port other than 3000, say 4200. we need to communicate this info to next-auth.
so adding this in .env resolved the issue for me.

NEXTAUTH_URL_INTERNAL="http://localhost:4200"

[Pattygeek]

I had additional code in my next.config.mjs file and as soon as I remove the code it worked for me.

[kr-mustali]

what do you mean by additional code?
can you please share your next.config.mjs file?

[senseibarni]

If you reached the bottom of this thread and nothing helps... try to remove all cookies for localhost (in the browser).
It might be something there if other application (or even yours) left something connected to the headers.
In my case that was the reason.