Best practices for protecting client-side pages?
Answered
Order posted this in #help-forum
OrderOP
I'm using Lucia auth and I the function that's checking the session can't work in next middleware but no matter what the auth solution is I've always had the lingering question on what the best practices are for protecting client-rendered pages. I was doing some janky useEffect + useState stuff but then I realized this can be bypassed by the user by simply changing the state to whatever they want. Is the best way to stay safe with my authentication just to make every page a server component and do the auth checks there and the import client components inside it or are there proper ways to protect client pages?
Answered by Arinji
keep 👏 auth 👏 on 👏 the 👏 server
Remember that in every language.
For no reason are you gonna have to send any type of authentication logic to the client. The maximum relation the client has wrt to auth, is that they store public data in cookies, so that you can keep track of who is logged in.
Yes, you do the auth in the pages, yeet a notFound() if no user, and the rest of the stuff can be client seperated, feel free to put this auth check in the middleware so that every request is authenticated @Order
Remember that in every language.
For no reason are you gonna have to send any type of authentication logic to the client. The maximum relation the client has wrt to auth, is that they store public data in cookies, so that you can keep track of who is logged in.
Yes, you do the auth in the pages, yeet a notFound() if no user, and the rest of the stuff can be client seperated, feel free to put this auth check in the middleware so that every request is authenticated @Order
13 Replies
keep 👏 auth 👏 on 👏 the 👏 server
Remember that in every language.
For no reason are you gonna have to send any type of authentication logic to the client. The maximum relation the client has wrt to auth, is that they store public data in cookies, so that you can keep track of who is logged in.
Yes, you do the auth in the pages, yeet a notFound() if no user, and the rest of the stuff can be client seperated, feel free to put this auth check in the middleware so that every request is authenticated @Order
Remember that in every language.
For no reason are you gonna have to send any type of authentication logic to the client. The maximum relation the client has wrt to auth, is that they store public data in cookies, so that you can keep track of who is logged in.
Yes, you do the auth in the pages, yeet a notFound() if no user, and the rest of the stuff can be client seperated, feel free to put this auth check in the middleware so that every request is authenticated @Order
Answer
OrderOP
as I said middleware doesn't quite work for me with lucia auth, so I guess my solution would be to just make all pages server components by default and then import separate client components inside those pages.
yup, anyway i do that myself even without lucia xD
i just like to make sure every page of mine is authenticated + helps with types xD
OrderOP
I don't really see many potential issues with that I don't actually know why people "use client" so far up the component tree
yea idk myself, use client ideally is the last element of the tree
ideally, can be different per usecase
anyways mark an answer
Original message was deleted
@Order
you need to do the whole app thing unfortunetly
OrderOP
when I go to apps I get no commands available
ah worked
thankyou :D