feat: protected routes defined from nuxt config #47
Conversation
|
What about using custom |
DanielRivers
force-pushed
the
feat/protected-server-routes
branch
from
af2ad74
to
2568f8f
Compare
- added couple of example rules to the playground config - reworked where the rules were defined
DanielRivers
force-pushed
the
feat/protected-server-routes
branch
from
2568f8f
to
c86d113
Compare
|
@danielroe I can't see what I have done to break the virtual file None of my seem to marry up to cause the error. |
|
One question is whether we instead move forward with nuxt/nuxt#25841 rather than implementing this specifically in this module. That would allow kinde middleware to be applied in a more generic way. Do you see any limitations in that PR? |
…s/kinde into feat/protected-server-routes
@danielroe That looks good, I was hoping to find a way to trigger the middleware without having to add one would assume that the rest of the route payload would be accessible so can continue to use the following style of config and extend as needed? I can pull the PR and have a look in more detail, but if I understand right not a huge amount would change just really how its triggered? |
|
@danielroe What changes are needed to get this over the line? |
|
@danielroe Mostly your changes looked good, I had to change slightly the implementation of I have tested on both direct access and using NuxtLink. |
Updates the `getRouteRules` import and implementaton, adds `NitroRouteRules['kinde']` type back as type inference was not working
DanielRivers
force-pushed
the
feat/protected-server-routes
branch
from
d013279
to
0d816b1
Compare
|
@danielroe What can we do to get this PR through? We are seeing an increased usage of the module and route protection is a common question. |
# Conflicts: # package.json
|
@DanielRivers I don't believe this PR currently would work on client-side navigation. For example, this code: const usersPermissions = await nuxt.ssrContext!.event.context.kinde.getPermissions()will not work in the browser. |
|
@danielroe I have implemented client support, added an access endpoint which checks if the logged in user has access to the route, returns the returnUrl and access boolean. |
|
@danielroe little nudge on a review 🙏 |
|
@danielroe Can this get a review please? |
| if (import.meta.client) { | ||
| const fetchResult = await $fetch<AccessResponse>('/api/access', { method: 'POST', body: JSON.stringify({ | ||
| path: to.path, | ||
| }) }) | ||
| if (!fetchResult.access && fetchResult.redirectUrl) { | ||
| window.location.href = fetchResult.redirectUrl | ||
| } | ||
| return | ||
| } | ||
|
|
There was a problem hiding this comment.
I feel this should be done entirely on the client side rather than requiring an extra request every time someone tries to navigate to a given route.
are the permissions exposed/accessible to the client?
There was a problem hiding this comment.
They're currently not as they are only on the token, I can certainly fetch and store in memory store on client when attempting to use and not there yet.
This adds the ability to protect routes based on permissions of the logged in user
this is all handled by the
auth-logged-inmiddlewareexample configuration
This will protect the route
protectedto only users with the permission ofexample_permissionand all routes underadminneed to haveadmin_userpermissionAn array of permissions can be defined, along with an optional
redirectUrl. If not redirectUrl is supplied the user will be presented with a401error as per the current behaviour.For versions 3.10 and lower you have to define the middleware on the you want to be protected
This is a built in solution for #45