I'm currently working with Next.js and need to secure my /admin route. I'm using Better Auth, but I've encountered some issues with middleware due to an edge-runtime error that prevents accessing authentication methods. I'm wondering whether I should handle the protection within the middleware, or if it's better to manage it in the layout or directly inside the page.tsx file. If you need any more details or clarification, feel free to ask; I really need the guidance!
3 Answers
It's usually easier to protect the /admin route within a server component layout or directly in your page. This way, you can fetch session or authentication details right there. If the user isn't authorized, you can use Next.js's `redirect()` from `next/navigation` to handle the redirect. While middleware can be useful for global rules, for specific auth needs tied to frameworks that aren’t edge compatible, the layout or page route protection is often the safest choice.
Layout protection is standard and most developers do it. The concern about it being 'bad' stems from the extra server render before a redirect, but for an admin page, this is generally fine. Just ensure your server-side checks are robust to maintain security.
Just protect your /admin route directly in the layout or page. Dealing with middleware for authentication can turn into a real headache, especially with edge runtime limitations. Better Auth should work just fine there, saving you from hours of debugging with the auth context issues.
Thanks! I'm going to stick to protecting it within the layout as you've suggested. But I'm curious about the thoughts on auth checks in layouts being a negative thing—what's the deal with that?
Don't forget to authenticate not just the route but also the API calls connected to it. I've had cases where unauthorized users bypassed frontend protection by directly hitting endpoints.
I'll definitely make it foolproof! I'm using server actions for added security. I recently faced some endpoint exploits myself, so I'm pretty cautious now.
That makes sense! I was worried about whether this approach is okay or if it slows down the site. What do you think about people claiming that checking auth in layouts is a bad practice?