Implementing subscription modal
Answered
MarkMiklos posted this in #help-forum
Im curious what would be the best way to implement a "global" subscription modal, when a user doesn't have a subscription on the admin routes.
Should i just check it on every page and whenever the user.subscription is false i just return the modal, or is there a better way to do it?
Should i just check it on every page and whenever the user.subscription is false i just return the modal, or is there a better way to do it?
Answered by B33fb0n3
normally you would check the current status in your middleware to have easy maintainabilty and only write less code to archive that. Like that you check the current status once and redirect the user to a specific location, if he does not have a running subscription
12 Replies
@MarkMiklos Im curious what would be the best way to implement a "global" subscription modal, when a user doesn't have a subscription on the admin routes.
Should i just check it on every page and whenever the user.subscription is false i just return the modal, or is there a better way to do it?
normally you would check the current status in your middleware to have easy maintainabilty and only write less code to archive that. Like that you check the current status once and redirect the user to a specific location, if he does not have a running subscription
Answer
So basically instead of showing a modal on each page, i just get the user data in the middleware and whenever the subscription is false, then redirect the user to /no-subscription and just show some data?
Alright thanks. π
One more question, im using lucia auth and im fked because of edge runtime π does that mean im completely off and have to check on each page? im going to have like 8-10 pages on the admin side max, so shouldn't be that bad?
@MarkMiklos One more question, im using lucia auth and im fked because of edge runtime π does that mean im completely off and have to check on each page? im going to have like 8-10 pages on the admin side max, so shouldn't be that bad?
Ratonero Murciano de Huerta
The admin pages should have a layout yes?
You can do the check on the layout rather than on each individual page
You can do the check on the layout rather than on each individual page
It does yeah, but the data can be manipulated in the layout isn't it?
Ratonero Murciano de Huerta
What do you mean it can be manipulated π€
I mean, yeah, it can be manipulated by you before getting to the pages
I mean, yeah, it can be manipulated by you before getting to the pages
@MarkMiklos you are right, it's not save to validate auth inside the layout.
@Ratonero Murciano de Huerta don't teach that...
You can see the potential issue here: https://github.com/eric-burel/securing-rsc-layout-leak
What can you do against it:
* checking authentication in a middleware (in your case not possible [as you said](https://nextjs-forum.com/post/1277694958345912512#message-1277698854254284801))
* checking authentication in the page (possible)
* checking authentication in the data fetching method (possible as well)
@Ratonero Murciano de Huerta don't teach that...
You can see the potential issue here: https://github.com/eric-burel/securing-rsc-layout-leak
What can you do against it:
* checking authentication in a middleware (in your case not possible [as you said](https://nextjs-forum.com/post/1277694958345912512#message-1277698854254284801))
* checking authentication in the page (possible)
* checking authentication in the data fetching method (possible as well)
@B33fb0n3 <@691640174077280263> you are right, it's not save to validate auth inside the layout.
<@934158910875664384> don't teach that...
You can see the potential issue here: https://github.com/eric-burel/securing-rsc-layout-leak
What can you do against it:
* checking authentication in a middleware (in your case not possible [as you said](https://discord.com/channels/752553802359505017/1277694958345912512/1277698854254284801))
* checking authentication in the page (possible)
* checking authentication in the data fetching method (possible as well)
Ratonero Murciano de Huerta
Yeah the safest and best option is from the middleware, but since the middleware is off-limits I thought it'd be easier to work from the layout rather than on every page. Had no idea it's not safe...
Can I ask though, how is it different from validating within the page? π€
Can I ask though, how is it different from validating within the page? π€
@Ratonero Murciano de Huerta Yeah the safest and best option is from the middleware, but since the middleware is off-limits I thought it'd be easier to work from the layout rather than on every page. Had no idea it's not safe...
Can I ask though, how is it different from validating within the page? π€
the layout will be rendered differently. And you can use that rendering differently to do bad stuff, as described here: https://github.com/eric-burel/securing-rsc-layout-leak
Ratonero Murciano de Huerta
I see...
Thank you π
Thank you π