Authentication & Authorization
Route Access Configuration
In Jumbo, route access is managed by specifying paths in two arrays: publicPaths
and anonymousPaths
, which are defined in the file /src/config/routes/path.ts
. This setup helps in controlling access to different parts of the application based on the user's authentication status.
Route Access Arrays
// /src/config/routes/path.ts
export const publicPaths = ['auth/login-1'];
export const anonymousPaths = ['/auth/login-1'];
Explanation of Terms
Public Path A path defined as a Public Path is accessible by both anonymous (not authenticated) and authenticated users. This means that any user, regardless of their authentication status, can access these routes.
Anonymous Path A path defined as an Anonymous Path is accessible only if the user is anonymous (not authenticated). Authenticated users will be redirected if they try to access these routes.
Authenticated Path Any path not specified in the
publicPaths
oranonymousPaths
arrays is considered an Authenticated Path. These paths are accessible only by authenticated users. Attempting to access these routes without being authenticated will result in a redirection to the login page or an access denied message.
Examples
Here’s how you can configure different routes:
Public Path Example
export const publicPaths = ['/home', '/about'];
Anonymous Path Example
export const anonymousPaths = ['/auth/login-1','/auth/signup-1','/auth/forgot-password'];
Middleware for Route Access Control
In Jumbo, two middleware functions, anonymousMiddleware
and authMiddleware
, are used to manage access to routes. These middleware functions determine whether a user can continue to the requested path or should be redirected based on their authentication status. The logic for this can be found in /src/middleware.ts
.
Middleware Logic
The middleware logic checks the requested path and applies the appropriate middleware function based on whether the path is a public, anonymous, or authenticated path.
Here’s the code snippet from /src/middleware/auth.ts
:
import { NextRequest, NextResponse } from 'next/server';
export function authMiddleware(request: NextRequest) {
const token = request.cookies.get('next-auth.session-token');
if (!token) {
const url = request.nextUrl.clone();
url.pathname = `/auth/login-1`;
return NextResponse.redirect(url);
}
//do we need to verify the token?
//if not verified then redirect to /auth/login-1
return NextResponse.next();
}
export function anonymousMiddleware(req: NextRequest) {
const accessToken = req.cookies.get('next-auth.session-token');
if (accessToken) {
const url = req.nextUrl.clone();
url.pathname = `/dashboards/crypto`; // Redirect logged-in users to dashboard
return NextResponse.redirect(url);
}
return NextResponse.next();
}
Middleware Functions
This middleware layer is responsible for managing route access based on a user's authentication status in a Next.js application using next-auth
.
AuthMiddleware
Purpose
Restricts access to authenticated (private) routes. Only users with a valid session token should be able to access these routes.
Behaviour
Checks if a session token is present in the request cookies.
If the token is missing, the user is redirected to the login page (
/auth/login
).If the token is present, the user is allowed to proceed.
Optionally, the token can be verified for authenticity. If verification fails, the user may be redirected to an alternate login route (
/auth/login-1
).
Use Case
Apply this middleware to pages like dashboards, profiles, or settings that require user authentication.
Anonymous Middleware
Purpose
Prevents authenticated users from accessing routes intended only for anonymous users (e.g., login or registration pages).
Behavoiur
Checks if a session token is present in the request cookies.
If the token exists, the user is redirected to a default authenticated page (such as
/dashboards/analytical
).If the token is not present, the user is allowed to proceed.
Summary
authMiddleware
Protect Private routes
No token → /auth/login
anonymousMiddleware
Prevent access to anonymous-only pages
Token exists → /dashboards/analytical
Last updated