Next.js + NextAuth.js — Manager Approval Flow with Popup Login

By -

Next.js + NextAuth.js — Manager Approval Flow with Popup Login

In some workflows, you need a manager to approve actions without logging out the current user. This post shows how to implement a Manager Approval Flow using NextAuth.js and a separate popup login, ensuring valid manager roles and token handling.

1️⃣ Overview of the flow

The flow works like this:

  1. The user triggers an action requiring manager approval.
  2. A popup opens with a separate NextAuth.js client configured for manager login.
  3. The manager signs in.
  4. We get the access_token and validate that the manager has the required role.
  5. If valid, send a message to the opener and close the popup.
  6. If invalid or login fails, show an error in the popup and allow retry.
  7. Always log out the manager and clear cookies after each approval attempt.

2️⃣ Setting up a separate client for manager login

You need a separate Keycloak client ID for the manager flow, but the same provider: 



providers: [

  KeycloakProvider({

    clientId: process.env.MANAGER_CLIENT_ID,

    clientSecret: process.env.MANAGER_CLIENT_SECRET,

    issuer: process.env.KEYCLOAK_ISSUER

  })

]

> This allows the manager login to be isolated from the main user session.

3️⃣ Popup login page

Open a popup window when manager approval is needed:



function openManagerPopup() {

  const popup = window.open(

    "/manager-login",

    "managerLogin",

    "width=500,height=600"

  );

  window.addEventListener("message", (event) => {

    if (event.data.type === "manager-approved") {

      console.log("Manager approved:", event.data);

      // Proceed with approval

    }

  });

}

The popup page points to a Next.js page with NextAuth.js sign-in for the manager.

4️⃣ Sign-in callback and role verification



callbacks: {

  async signIn({ user, account }) {

    if (account) {

      const accessToken = account.access_token;

      // Call backend API to verify manager role

      const res = await fetch("/api/verify-manager", {

        method: "POST",

        headers: { Authorization: `Bearer ${accessToken}` }

      });

      const data = await res.json();

      if (!data.isManager) {

        return "/manager-login?error=not_manager"; // redirect back to popup with error

      }

    }

    return true;

  }

}

> The backend verifies the token and ensures the manager has the required role.

5️⃣ Posting message to opener

Once verified, send a message from the popup to the main window:



if (window.opener) {

  window.opener.postMessage(

    { type: "manager-approved", user: session.user },

    window.location.origin

  );

  // Close popup

  window.close();

}

6️⃣ Logout and cleanup

For security, always log out the manager and clean up cookies, so each approval requires a fresh login:



import { signOut } from "next-auth/react";

await signOut({ redirect: false });

// Optional: clear cookies manually if needed

document.cookie = "next-auth.session-token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT";

> This ensures no stale tokens are left, and the next approval will require login again.

7️⃣ Backend token verification

Implement an API endpoint to validate manager token:



export default async function handler(req, res) {

  const token = req.headers.authorization?.split(" ")[1];

  if (!token) return res.status(401).json({ isManager: false });

  try {

    const decoded = await verifyToken(token); // your JWT verification logic

    if (decoded.roles?.includes("MANAGER")) {

      res.status(200).json({ isManager: true });

    } else {

      res.status(403).json({ isManager: false });

    }

  } catch (err) {

    res.status(401).json({ isManager: false });

  }

}

8️⃣ Error handling and retry

If the manager login fails or the role is invalid:

  • Redirect back to the popup login page with an error query string.
  • Show a user-friendly error message.
  • Allow the manager to sign in again.

Conclusion

This popup-based Manager Approval Flow ensures:

  • Manager login is isolated from main user session
  • Access token is fresh every login
  • Manager role is validated securely
  • Error handling and logout cleanup are done correctly

It’s ideal for workflows that require manager approval without affecting the main user session.

Part of the Next.js Frontend SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By -
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By -
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By -
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more