Authentication & Authorization

Route Access Configuration

In Jumbo, route access is managed by specifying paths in two arrays: publicPaths and anonymousPaths, which are defined in the file /src/config/routes/path.ts. This setup helps in controlling access to different parts of the application based on the user's authentication status.

Route Access Arrays

// /src/config/routes/path.ts

export const publicPaths = ['auth/login-1'];

export const anonymousPaths = ['/auth/login-1'];

Explanation of Terms

  1. Public Path A path defined as a Public Path is accessible by both anonymous (not authenticated) and authenticated users. This means that any user, regardless of their authentication status, can access these routes.

  2. Anonymous Path A path defined as an Anonymous Path is accessible only if the user is anonymous (not authenticated). Authenticated users will be redirected if they try to access these routes.

  3. Authenticated Path Any path not specified in the publicPaths or anonymousPaths arrays is considered an Authenticated Path. These paths are accessible only by authenticated users. Attempting to access these routes without being authenticated will result in a redirection to the login page or an access denied message.

Examples

Here’s how you can configure different routes:

Public Path Example

export const publicPaths = ['/home', '/about'];

Anonymous Path Example

export const anonymousPaths = ['/auth/login-1','/auth/signup-1','/auth/forgot-password'];

Middleware for Route Access Control

In Jumbo, two middleware functions, anonymousMiddleware and authMiddleware, are used to manage access to routes. These middleware functions determine whether a user can continue to the requested path or should be redirected based on their authentication status. The logic for this can be found in /src/middleware.ts.

Middleware Logic

The middleware logic checks the requested path and applies the appropriate middleware function based on whether the path is a public, anonymous, or authenticated path.

Here’s the code snippet from /src/middleware/auth.ts:

import { NextRequest, NextResponse } from 'next/server';

export function authMiddleware(request: NextRequest) {
  const token = request.cookies.get('next-auth.session-token');

  if (!token) {
    const url = request.nextUrl.clone();
    url.pathname = `/auth/login-1`;
    return NextResponse.redirect(url);
  }

  //do we need to verify the token?
  //if not verified then redirect to /auth/login-1
  return NextResponse.next();
}

export function anonymousMiddleware(req: NextRequest) {
  const accessToken = req.cookies.get('next-auth.session-token');

  if (accessToken) {
    const url = req.nextUrl.clone();
    url.pathname = `/dashboards/crypto`; // Redirect logged-in users to dashboard
    return NextResponse.redirect(url);
  }

  return NextResponse.next();
}

Middleware Functions

This middleware layer is responsible for managing route access based on a user's authentication status in a Next.js application using next-auth.

AuthMiddleware

Purpose

Restricts access to authenticated (private) routes. Only users with a valid session token should be able to access these routes.

Behaviour

  • Checks if a session token is present in the request cookies.

  • If the token is missing, the user is redirected to the login page (/auth/login).

  • If the token is present, the user is allowed to proceed.

  • Optionally, the token can be verified for authenticity. If verification fails, the user may be redirected to an alternate login route (/auth/login-1).

Use Case

Apply this middleware to pages like dashboards, profiles, or settings that require user authentication.

Anonymous Middleware

Purpose

Prevents authenticated users from accessing routes intended only for anonymous users (e.g., login or registration pages).

Behavoiur

  • Checks if a session token is present in the request cookies.

  • If the token exists, the user is redirected to a default authenticated page (such as /dashboards/analytical).

  • If the token is not present, the user is allowed to proceed.

Summary

Middleware
Purpose
Redirect if...

authMiddleware

Protect Private routes

No token → /auth/login

anonymousMiddleware

Prevent access to anonymous-only pages

Token exists → /dashboards/analytical

The current authMiddleware and anonymousMiddleware only checks for the accessToken's availability but you can customize these or write your own middleware to extend the functionality and support role based or promise based authorization.

Last updated