[Feature request] Exclude/detect on-demand revalidation request from/in middleware for authentication

[bennettdams]

This was briefly discussed in the comments of this post, but without an answer.

Describe the feature you'd like to request

I'm using middlewares to protect sites from unauthenticated access. Unfortunately the new on-demand revalidation and its requests are also intercepted by the middleware.

In my case, unauthenticated users are redirected to the sign in page. Here's part of the middleware for reference:

// _middleware.ts (in root)
...
    if (isSignedIn) {
      // user is signed in, go on
      return NextResponse.next();
    } else {
      const urlNew = req.nextUrl.clone();
      urlNew.pathname = ROUTES.SIGN_IN;

      return NextResponse.redirect(urlNew);
    }

I obviously don't want to do this redirection for the revalidation requests.

Right now, I circumvent this by looking at the header of the middleware request:

const isRevalidationRequest = !!req.headers.get("x-prerender-revalidate");

Requests coming from on-demand revalidation (await res.unstable_revalidate("/some-path")) will have this header. I can skip the redirection for such requests, but this is obviously not great.

Is there a better way?

Describe the solution you'd like

Possible solutions I thought about:

• Middlewares can detect revalidation requests automatically and can be configured by us to ignore them/pass them through as-is
• Requests of revalidation executions can be modified, so we can e.g. add a request body that contains a secret:

  const mySecret = { ... }
  // `mySecret` will be added as request body
  await res.unstable_revalidate("/some-path", mySecret);

[bennettdams]

This was changed in v12.2.0, so on-demand ISR requests are not invoking the middleware anymore 🥳

See: #38562