DEV Community

Yuta Kusuno
Yuta Kusuno

Posted on • Updated on

[Next.js] Firebase Authentication with Google sign-in using cookies, middleware, and Server Actions

This post provides a explanation of implementing user authentication in a Next.js 14 application using Firebase Authentication with Google sign-in. It utilizes cookies and server actions to effectively manage user sessions. Since this is a demo, there are no token updates or rigorous checking of tokens. Please customize it accordingly according to your project specifications.




As for the components I implemented, all I have is the home page and a very simple header. I have kept it simple so that you can easily utilize it in your projects.

Before signing in (localhost:3000/)

Before signing in (localhost:3000/)

When a user clicks the sign in button

When a user clicks the sign in button

After signing in (localhost:3000/home)

After signing in (localhost:3000/home)

Project Structure

├── actions                 // added
│   └── auth-actions.ts
├── app
│   ├── home                // added
│   │   └── page.tsx
│   ├── favicon.ico
│   ├── globals.css
│   ├── layout.tsx          // fixed
│   └── page.tsx
├── components              // added
│   └── header.tsx
├── hooks                   // added
│   └── use-user-session.ts
├── libs                    // added
│   └── firebase
│       ├── auth.ts
│       └── config.ts
├── public
├── .env                    // added
├── .eslintrc.json
├── .gitignore
├── .prettierrc.yaml
├── constants.ts            // added
├── middleware.ts           // added
├── next-env.d.ts
├── next.config.mjs
├── package-lock.json
├── package.json
├── postcss.config.mjs
├── tailwind.config.ts
└── tsconfig.json
Enter fullscreen mode Exit fullscreen mode

Package Versions (Package.json)



  "dependencies": {
    "firebase": "^10.11.0",
    "next": "14.2.1",
    "react": "^18",
    "react-dom": "^18"
  "devDependencies": {
    "@types/node": "^20",
    "@types/react": "^18",
    "@types/react-dom": "^18",
    "eslint": "^8",
    "eslint-config-next": "14.2.1",
    "eslint-config-prettier": "^9.1.0",
    "postcss": "^8",
    "tailwindcss": "^3.4.1",
    "typescript": "^5"
Enter fullscreen mode Exit fullscreen mode


Now let's look at the implementation.

Environment Variables

This environment file .env securely stores Firebase project configuration values (API key, auth domain, etc.).

If you have not yet set up your Firebase project, click here.

# .env

Enter fullscreen mode Exit fullscreen mode

Firebase Configuration

The libs/firebase/config.ts file handles the initialization and configuration of the Firebase app.

// libs/firebase/config.ts

import { getAuth } from 'firebase/auth';
import { initializeApp, getApps } from 'firebase/app';

// Load .env variables
const firebaseConfig = {
  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,
  messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,
  appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,

const firebaseApp =
  getApps().length === 0 ? initializeApp(firebaseConfig) : getApps()[0];

export const firebaseAuth = getAuth(firebaseApp);
Enter fullscreen mode Exit fullscreen mode
  • Initializes the Firebase app using initializeApp or retrieves an existing instance.
  • Exports the firebaseAuth instance for accessing Firebase authentication services.

Firebase Authentication

The libs/firebase/auth.ts file encapsulates Firebase authentication logic.

// libs/firebase/auth.ts

import {
  type User,
  onAuthStateChanged as _onAuthStateChanged,
} from 'firebase/auth';

import { firebaseAuth } from './config';

export function onAuthStateChanged(callback: (authUser: User | null) => void) {
  return _onAuthStateChanged(firebaseAuth, callback);

export async function signInWithGoogle() {
  const provider = new GoogleAuthProvider();

  try {
    const result = await signInWithPopup(firebaseAuth, provider);

    if (!result || !result.user) {
      throw new Error('Google sign in failed');
    return result.user.uid;
  } catch (error) {
    console.error('Error signing in with Google', error);

export async function signOutWithGoogle() {
  try {
    await firebaseAuth.signOut();
  } catch (error) {
    console.error('Error signing out with Google', error);
Enter fullscreen mode Exit fullscreen mode
  • onAuthStateChanged: Listens for changes in the user's authentication state.
  • signInWithGoogle: Initiates Google sign-in using a popup window.
  • signOutWithGoogle: Signs out the current user from Firebase.


// constants.ts

export const ROOT_ROUTE = '/';
export const HOME_ROUTE = '/home';

export const SESSION_COOKIE_NAME = 'user_session';

Enter fullscreen mode Exit fullscreen mode

Session Management in Server Actions

In actions/auth-actions.ts, it implements server actions for creating and removing session cookies.

// actions/auth-actions.ts

'use server';

import { cookies } from 'next/headers';
import { redirect } from 'next/navigation';

import { HOME_ROUTE, ROOT_ROUTE, SESSION_COOKIE_NAME } from '@/constants';

export async function createSession(uid: string) {
  cookies().set(SESSION_COOKIE_NAME, uid, {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    maxAge: 60 * 60 * 24, // One day
    path: '/',


export async function removeSession() {

Enter fullscreen mode Exit fullscreen mode
  • createSession: Sets a cookie named SESSION_COOKIE_NAME containing the user ID and redirects to the home page.
    • HTTP-only: The cookie is flagged as HTTP-only, enhancing security by preventing client-side JavaScript from accessing its content.
    • Secure: In a production environment, the secure flag is set, ensuring the cookie is transmitted only over HTTPS connections.
    • Max Age: The cookie expires after one day (24 hours) of inactivity.
  • removeSession: Deletes the SESSION_COOKIE_NAME cookie and redirects to the root page.

Session Management in Client

In hooks/use-user-session.ts, it provides a custom hook for managing user sessions.

// hooks/use-user-session.ts

import { useEffect, useState } from 'react';

import { onAuthStateChanged } from '../libs/firebase/auth';

export function useUserSession(InitSession: string | null) {
  const [userUid, setUserUid] = useState<string | null>(InitSession);

  // Listen for changes to the user session
  useEffect(() => {
    const unsubscribe = onAuthStateChanged(async (authUser) => {
      if (authUser) {
      } else {

    return () => unsubscribe();
  }, []);

  return userUid;
Enter fullscreen mode Exit fullscreen mode
  • useUserSession:
    • Accepts an initial session ID.
    • Maintains the current user ID (userUid) in state.
    • Listens for Firebase auth state changes using onAuthStateChanged.
    • Returns the current userUid.

Application Layout


import type { Metadata } from 'next';
import { Inter } from 'next/font/google';
import { cookies } from 'next/headers';

import Header from '@/components/header'; // added
import { SESSION_COOKIE_NAME } from '@/constants'; // added
import './globals.css';

const inter = Inter({ subsets: ['latin'] });

export const metadata: Metadata = {
  title: 'Create Next App',
  description: 'Generated by create next app',

export default async function RootLayout({
}: Readonly<{
  children: React.ReactNode;
}>) {
  // added
  const session = cookies().get(SESSION_COOKIE_NAME)?.value || null;

  return (
    <html lang='en'>
      <body className={inter.className}>
        <Header session={session} /> // added

Enter fullscreen mode Exit fullscreen mode
  • Retrieves the session cookie from the request headers.
  • Renders the Header component, passing the session as a prop.
  • Displays the application's content.

By passing session information from the RSC to the RCC, the Header component for authenticated users can be loaded from the beginning if the user is already logged in.

Header Component

// components/header.tsx

'use client';

import { useUserSession } from '@/hooks/use-user-session';
import { signInWithGoogle, signOutWithGoogle } from '@/libs/firebase/auth';
import { createSession, removeSession } from '@/actions/auth-actions';

export function Header({ session }: { session: string | null }) {
  const userSessionId = useUserSession(session);

  const handleSignIn = async () => {
    const userUid = await signInWithGoogle();
    if (userUid) {
      await createSession(userUid);

  const handleSignOut = async () => {
    await signOutWithGoogle();
    await removeSession();

  if (!userSessionId) {
    return (
        <button onClick={handleSignIn}>Sign In</button>

  return (
            <a href='#'>Menu A</a>
            <a href='#'>Menu B</a>
            <a href='#'>Menu C</a>
      <button onClick={handleSignOut}>Sign Out</button>

export default Header;
Enter fullscreen mode Exit fullscreen mode
  • Uses useUserSession to get the current user's session ID.
  • Displays a sign-in button if the user is not signed in.
  • Displays a sign-out button and navigation links if the user is signed in.
  • Based on the event handlers (handleSignIn or handleSignOut), signing in or signing out process. At the same time, calling server actions createSession or removeSession.


// middleware.ts

import { type NextRequest, NextResponse } from 'next/server';
import { HOME_ROUTE, ROOT_ROUTE, SESSION_COOKIE_NAME } from './constants';

const protectedRoutes = [HOME_ROUTE];

export default function middleware(request: NextRequest) {
  const session = request.cookies.get(SESSION_COOKIE_NAME)?.value || '';

  // Redirect to login if session is not set
  if (!session && protectedRoutes.includes(request.nextUrl.pathname)) {
    const absoluteURL = new URL(ROOT_ROUTE, request.nextUrl.origin);
    return NextResponse.redirect(absoluteURL.toString());

  // Redirect to home if session is set and user tries to access root
  if (session && request.nextUrl.pathname === ROOT_ROUTE) {
    const absoluteURL = new URL(HOME_ROUTE, request.nextUrl.origin);
    return NextResponse.redirect(absoluteURL.toString());
Enter fullscreen mode Exit fullscreen mode
  • Identifies protected routes (e.g., home page).
  • Redirects users to the login page if they are not signed in and trying to access a protected route.
  • Redirects signed-in users to the home page if they try to access the root page.

Overall Implementation

The application utilizes the following flow:

  1. The user visits the application.
  2. The middleware checks the session cookie.
    • If the user is not signed in and tries to access a protected route, they are redirected to the login page.
    • If the user is signed in and tries to access the root page, they are redirected to the home page.
  3. On the login page, the user clicks the "Sign In" button.
  4. The signInWithGoogle function is called, initiating the Google sign-in process.
  5. Upon successful sign-in, Firebase sends the user's profile information to the application.
  6. The onAuthStateChanged function detects the user's signed-in state.
  7. The useUserSession hook updates the userUid state.
  8. The createSession function sets the session cookie and redirects the user to the home page.
  9. The user can now navigate through the protected areas of the application.
  10. To sign out, the user clicks the "Sign Out" button in the header.
  11. The signOutWithGoogle function is called, signing the user out of Firebase.
  12. The onAuthStateChanged function detects the user's signed-out state.
  13. The useUserSession hook updates the userUid state to null and calls the removeSession.

If you like it, feel free to adjust the code snippets provided and have them customized to your project's specific requirements and preferences.


That is about it. Happy coding!

Top comments (2)

tungdnt profile image

Will this work for SSR page? I’m seeing you’re managing token using cookie, but cookie isn’t available in server side

yutakusuno profile image
Yuta Kusuno

Hi @tungdnt !
Unfortunately, this will not work. The signInWithPopup which authenticates a Firebase client using a popup can work in client components. As far as I have tried to implement it inside server actions (server-side), it did not work and I got a Firebase Error (auth/operation-not-supported-in-this-environment).

To be honest, I would like to handle everything with SSR. If there is a way to do it, I would like to improve it!!