📚 Documentation: Adding await to cookies() and headers() to align with Next.js 15 async API changes in Server-side authentication with Next.js tutorial

[Ahrary]

What does this PR do?

Updates code examples in documentation to reflect Next.js 15 changes, specifically adding await to cookies() and headers() calls. Since these functions are now asynchronous in Next.js 15, the examples have been updated to provide updated and accurate guidance to developers.

Test Plan

• Manually reviewed and updated all relevant .markdoc documentation files in this tutorial.

Related PRs and Issues

• Related to Next.js 15 upgrade (Next.js 15 release notes).

Have you read the Contributing Guidelines on issues?

Yes

Summary by CodeRabbit

• Documentation
  • Updated Next.js SSR authentication tutorials to use awaited cookie and header access patterns for more reliable session handling.
  • Clarified Next.js 15 requirements and demonstrated secure cookie flag usage when creating session cookies.
  • Improved examples for session retrieval and deletion to ensure correct evaluation order and consistent sign-in/sign-out flows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coolify-appwrite-org]

The preview deployment failed. 🔴

Open Build Logs

Last updated at: 2025-07-02 19:37:01 CET

[appwrite]

appwrite.io

Project ID: 684969cb000a2f6c0a02

Sites (1)

Site	Status	Logs	Preview	QR
website 68496a17000f03d62013	Queued	View Logs	Preview URL

Tip

You can use Avatars API to generate QR code for any text or URLs.

[coderabbitai]

Walkthrough

This pull request updates tutorial examples for Next.js SSR authentication by changing direct calls to Next.js runtime APIs into awaited invocations: replacing cookies().get/set/delete() with (await cookies()).get/set/delete() and headers().get() with (await headers()).get(). Step-5 also adds secure: true to the cookie configuration. No other control flow, signatures, or functional behavior are changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding await to cookies() and headers() to align with Next.js 15 async API changes in the tutorial documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc (1)

96-96: Consider adding explicit mention of awaiting cookies().

The description accurately summarizes the function but could optionally mention that cookies() must be awaited in Next.js 15. This would provide additional clarity for developers following the tutorial.

Example enhancement:

-The `signUpWithEmail` function is an async function that takes the form data as an argument. It uses the `createAdminClient` function to create an admin Appwrite client and then calls the `createEmailPasswordSession` method on the `account` object. This method takes the email and password as arguments and returns a session object. We then set the session secret in a cookie and redirect the user to the account page.
+The `signUpWithEmail` function is an async function that takes the form data as an argument. It uses the `createAdminClient` function to create an admin Appwrite client and then calls the `createEmailPasswordSession` method on the `account` object. This method takes the email and password as arguments and returns a session object. We then await the `cookies()` function (required in Next.js 15) to set the session secret in a secure cookie and redirect the user to the account page.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ce72079 and cc9a740.

📒 Files selected for processing (4)

• src/routes/docs/tutorials/nextjs-ssr-auth/step-3/+page.markdoc (1 hunks)
• src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc (2 hunks)
• src/routes/docs/tutorials/nextjs-ssr-auth/step-6/+page.markdoc (1 hunks)
• src/routes/docs/tutorials/nextjs-ssr-auth/step-7/+page.markdoc (3 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-09-25T05:24:12.551Z

Learnt from: BretRen
Repo: appwrite/website PR: 2442
File: src/routes/docs/products/auth/email-password/+page.markdoc:50-56
Timestamp: 2025-09-25T05:24:12.551Z
Learning: Appwrite v17+ uses object parameters consistently across Account methods. Both account.create({ userId, email, password }) and account.createEmailPasswordSession({ email, password }) use object parameters instead of positional arguments.

Applied to files:

• src/routes/docs/tutorials/nextjs-ssr-auth/step-3/+page.markdoc

📚 Learning: 2025-09-25T05:24:12.551Z

Learnt from: BretRen
Repo: appwrite/website PR: 2442
File: src/routes/docs/products/auth/email-password/+page.markdoc:50-56
Timestamp: 2025-09-25T05:24:12.551Z
Learning: Appwrite v17+ uses object parameters for Account methods including createEmailPasswordSession({ email, password }) instead of positional arguments. This is consistent across the Account API methods like account.create({ userId, email, password }).

Applied to files:

• src/routes/docs/tutorials/nextjs-ssr-auth/step-3/+page.markdoc

📚 Learning: 2025-09-25T05:24:12.551Z

Learnt from: BretRen
Repo: appwrite/website PR: 2442
File: src/routes/docs/products/auth/email-password/+page.markdoc:50-56
Timestamp: 2025-09-25T05:24:12.551Z
Learning: The Appwrite `createEmailPasswordSession` method uses object parameters `{ email, password }` instead of positional arguments. This is consistent with other Account methods in Appwrite that also use object parameters.

Applied to files:

• src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc

🔇 Additional comments (6)

src/routes/docs/tutorials/nextjs-ssr-auth/step-3/+page.markdoc (1)

23-23: LGTM! Correctly aligns with Next.js 15 async API.

The change properly awaits cookies() before calling .get(), which is necessary because Next.js 15 made these helper functions asynchronous. The parentheses ensure the Promise is resolved before accessing the cookie store methods.

src/routes/docs/tutorials/nextjs-ssr-auth/step-6/+page.markdoc (1)

25-27: LGTM! Correct implementation of Next.js 15 async cookies() API.

The change properly demonstrates awaiting the cookies() function before calling methods on the cookie store, which aligns with Next.js 15's async API requirements.

src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc (1)

83-88: LGTM! Async cookies() correctly implemented with bonus security improvement.

The await syntax for cookies() correctly aligns with Next.js 15's async API changes. The parentheses around await cookies() are necessary to resolve the promise before calling .set().

Additionally, the addition of secure: true on line 87 is a valuable security enhancement ensuring cookies are only transmitted over HTTPS. Note that this security improvement goes beyond the stated PR objectives and may warrant mention in the PR description.

src/routes/docs/tutorials/nextjs-ssr-auth/step-7/+page.markdoc (3)

30-30: LGTM! Correct async usage for Next.js 15.

The await for headers() is correctly applied, and the syntax (await headers()).get("origin") properly reflects Next.js 15's async API changes.

---

91-96: LGTM! Correct async usage for Next.js 15.

The await for cookies() is properly applied with correct syntax (await cookies()).set(...). The cookie configuration also appropriately includes secure: true, httpOnly: true, and sameSite: "strict" for security best practices.

---

1-100: Code is consistent across all tutorial steps - no changes needed.

Verification confirms that cookies() and headers() calls are consistently awaited throughout the entire nextjs-ssr-auth tutorial series (steps 3, 5, 6, and 7). All instances follow the proper async pattern, so users following the tutorial sequentially will see uniform patterns with no confusion.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc (1)

83-88: Consider documenting secure cookie behavior for different development environments.

The async/await pattern (await cookies()).set(...) is correct for Next.js 15. The secure: true flag is a standard cookie option and appropriate for production security. However, setting it unconditionally can prevent cookies from working in development environments that aren't localhost (e.g., network IPs, custom domains). The tutorial text already mentions "secure cookie" but doesn't explain this caveat.

Consider clarifying that developers should either:

• Use conditional logic: secure: process.env.NODE_ENV === 'production'
• Run development over HTTPS (mkcert or similar)
• Note that localhost correctly handles Secure cookies during development

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc9a740 and 16f436b.

📒 Files selected for processing (1)

• src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-25T05:24:12.551Z

Learnt from: BretRen
Repo: appwrite/website PR: 2442
File: src/routes/docs/products/auth/email-password/+page.markdoc:50-56
Timestamp: 2025-09-25T05:24:12.551Z
Learning: The Appwrite `createEmailPasswordSession` method uses object parameters `{ email, password }` instead of positional arguments. This is consistent with other Account methods in Appwrite that also use object parameters.

Applied to files:

• src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc

📚 Learning: 2025-09-25T05:24:12.551Z

Learnt from: BretRen
Repo: appwrite/website PR: 2442
File: src/routes/docs/products/auth/email-password/+page.markdoc:50-56
Timestamp: 2025-09-25T05:24:12.551Z
Learning: Appwrite v17+ uses object parameters for Account methods including createEmailPasswordSession({ email, password }) instead of positional arguments. This is consistent across the Account API methods like account.create({ userId, email, password }).

Applied to files:

• src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc

🔇 Additional comments (1)

src/routes/docs/tutorials/nextjs-ssr-auth/step-5/+page.markdoc (1)

96-96: LGTM! Clear documentation of the Next.js 15 requirement.

The updated explanation clearly states that awaiting cookies() is required in Next.js 15 and mentions the secure cookie setting, which helps developers understand the changes.