Is it safe to only Auth Routes at Layout Level?
Answered
Happy champ posted this in #help-forum
I have a shared layout between my pages and want to authenticate the pages by only including validation in layout.tsx (using cookies and db session):
/layout.tsx
/foo
page.tsx
/bar
page.tsx
This causes the user not being authenticated after layout is loaded for subsequent page requests, however. Which I'm ok with.
Is this generally safe? Is it possible to by pass layouts and access pages?
/layout.tsx
/foo
page.tsx
/bar
page.tsx
export default async function Layout({
children,
}: {
children: React.ReactNode;
}) {
const user = await validateRequest();
if (!user) redirect("/login");
}This causes the user not being authenticated after layout is loaded for subsequent page requests, however. Which I'm ok with.
Is this generally safe? Is it possible to by pass layouts and access pages?
Answered by Rafael Almeida
it is not safe, you can make requests to individual parts of the page if you are using RSCs, effectively bypassing your layout code. ideally you want to add an auth check on every resource access anyway, not only once in the page
3 Replies
it is not safe, you can make requests to individual parts of the page if you are using RSCs, effectively bypassing your layout code. ideally you want to add an auth check on every resource access anyway, not only once in the page
Answer
for more information: https://github.com/eric-burel/securing-rsc-layout-leak
@Rafael Almeida @joulev Thanks for clearing things up!