Is fetching and redirecting in layout a bad pattern?
Answered
Yongho Lee posted this in #help-forum
I wonder is it a bad pattern to fetch and redirect in layout. Redirection in layout means you don't want the user to view the page. However, I concern about that layout and page work simultaneously.
Let's take an example. We need to create several admin pages and block general users from accessing those pages. So, where should the logic for blocking access be located? What about locating this at
At first glance, it's a quite reasonable choice. Let's go back to the problem that I mentioned at first. In the above code,
Another approach would be to send this logic to
Let's take an example. We need to create several admin pages and block general users from accessing those pages. So, where should the logic for blocking access be located? What about locating this at
layout? At first, the intention to call checkAdmin in layout is to reduce unnecessary fetching in client routing from /admin to /admin/other. I thought check again is unnecessary in client routing under the same layout.// /app/admin/layout.js
export default async function Layout() {
const isAdmin = await checkAdmin()
if (!isAdmin) redirect('/home')
return <>{children}</>
}
// /app/admin/page.js
export default async function Page() {
const credentialData = await fetchApiForAdming()
return <>{children}</>
}
// /app/admin/other/page.js
export default async function Page() {
const credentialData = await fetchApiForAdming()
return <>{children}</>
}At first glance, it's a quite reasonable choice. Let's go back to the problem that I mentioned at first. In the above code,
fetchApiForAdming is called regardless of whether the user is an admin or not. Of course, RSC doesn't return the credential data and only redirects to home even if fetchApiForAdmin throws an error. However, is it appropriate for fetchApiForAdmin to be called even for requests from regular users, even though it happens server-side and is not transmitted to the client?Another approach would be to send this logic to
middleware, but it is concerning because middleware runs in a separate environment from the app, Edge Runtime, which means caching is not possible.Answered by B33fb0n3
yea, your redirect won't be efficent, when it's depending on the auth of the user. Imagine the user bypasses this check, like I mentioned, then there is no effective redirect. In other words it means: redirect in layout is fine, but not when it's depending on auth
5 Replies
@Yongho Lee I wonder is it a bad pattern to fetch and redirect in layout. Redirection in layout means you don't want the user to view the page. However, I concern about that layout and page work simultaneously.
Let's take an example. We need to create several admin pages and block general users from accessing those pages. So, where should the logic for blocking access be located? What about locating this at `layout`? At first, the intention to call `checkAdmin` in layout is to reduce unnecessary fetching in client routing from /admin to /admin/other. I thought check again is unnecessary in client routing under the same `layout`.
ts
// /app/admin/layout.js
export default async function Layout() {
const isAdmin = await checkAdmin()
if (!isAdmin) redirect('/home')
return <>{children}</>
}
// /app/admin/page.js
export default async function Page() {
const credentialData = await fetchApiForAdming()
return <>{children}</>
}
// /app/admin/other/page.js
export default async function Page() {
const credentialData = await fetchApiForAdming()
return <>{children}</>
}
At first glance, it's a quite reasonable choice. Let's go back to the problem that I mentioned at first. In the above code, `fetchApiForAdming` is called regardless of whether the user is an admin or not. Of course, RSC doesn't return the credential data and only redirects to home even if `fetchApiForAdmin` throws an error. However, is it appropriate for `fetchApiForAdmin` to be called even for requests from regular users, even though it happens server-side and is not transmitted to the client?
Another approach would be to send this logic to `middleware`, but it is concerning because `middleware` runs in a separate environment from the app, Edge Runtime, which means caching is not possible.
yea, when checking your auth inside your layout, the user is able to bypass this check. And that mean for you: a security vulnability. Don't check the auth inside your layout. You can read about it here ([click me](https://github.com/eric-burel/securing-rsc-layout-leak)).
Instead check in:
1. Middleware or
2. Page or
3. Function
Instead check in:
1. Middleware or
2. Page or
3. Function
Mallow bee
Check auth right before every action you want to guard, whether that's writing to the DB or calling an internal API. If you ever add a permissions model you'll have to do this anyway
then the route level redirects are just a UX enhancement to stop people from performing actions that would throw errors
then the route level redirects are just a UX enhancement to stop people from performing actions that would throw errors
Thanks comments @B33fb0n3 @Mallow bee
My concern would rather relate to efficiency than security because the
My concern would rather relate to efficiency than security because the
fetchApiForAdmin function also restricts general users and throws an error if so. I didn't even want to call fetchApiForAdmin. As you mentioned, I think redirecting in layout was not a good idea.@Yongho Lee Thanks comments <@301376057326567425> <@231856762750369793>
My concern would rather relate to efficiency than security because the `fetchApiForAdmin` function also restricts general users and throws an error if so. I didn't even want to call `fetchApiForAdmin`. As you mentioned, I think redirecting in layout was not a good idea.
yea, your redirect won't be efficent, when it's depending on the auth of the user. Imagine the user bypasses this check, like I mentioned, then there is no effective redirect. In other words it means: redirect in layout is fine, but not when it's depending on auth
Answer