Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect the routes!!! #12

Open
Kiranism opened this issue Jul 26, 2024 · 9 comments
Open

Protect the routes!!! #12

Kiranism opened this issue Jul 26, 2024 · 9 comments

Comments

@Kiranism
Copy link

@webdevcody Hey, what can we do to protect the routes? Since we aren't using middleware, maybe we can do the checks directly in the pages?

something like
export default async function Dashboard() { const user = await getUser(); if (!user) { return redirect('/admin/login'); } return (...)

image
@evert-arias
Copy link

@Kiranism You can protect routes by calling assertAuthenticated at the start of each protected page. This function returns the current user if logged in, or throws an error if not. Then error.tsx page catches these errors and shows a "not authenticated" message if it's an auth error.

@Kiranism
Copy link
Author

Yeah, that will work. Maybe that can be added to the code.

@evert-arias
Copy link

It's already in the code. The dashboard page uses the assertAuthenticated function which is implemented in lib/session.ts.

@Kiranism
Copy link
Author

It's already in the code. The dashboard page uses the assertAuthenticated function which is implemented in lib/session.ts.

It just throwing an error. Please check this picture #12 (comment)

@evert-arias
Copy link

@Kiranism I see. There were a few issues I had to solve to get this template work on production. I'll check that out.

@evert-arias
Copy link

So, when built for production, isAuthenticationError evaluates as false, but not when running locally in dev mode. As a result, it is showing the generic error message instead of the authentication error message.

image

@webdevcody
Copy link
Owner

I think having a method called assertAuthenticatedAndRedirect('/your/url') would be my recommendation. I personally don't like when a user is just randomly redirected to a new page; I'd rather show them an error so they know not to do it again. I can look into this error difference between prod and dev and try to update this.

@evert-arias
Copy link

I concur with that strategy.

@Kiranism
Copy link
Author

I think having a method called assertAuthenticatedAndRedirect('/your/url') would be my recommendation. I personally don't like when a user is just randomly redirected to a new page; I'd rather show them an error so they know not to do it again. I can look into this error difference between prod and dev and try to update this.

Fair enough. I also noticed that you can still visit the login page (auth routes) after signing in, which can be avoided with a similar check."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@evert-arias @Kiranism @webdevcody