How to protect API routes ? #4797

Sakkhor909 · 2022-06-29T18:31:36Z

Sakkhor909
Jun 29, 2022

Hello, I am new to Next Auth.
I am using google providers to authenticate a user. Here are my configurations

import NextAuth from "next-auth";
import GoogleProvider from "next-auth/providers/google";
import { PrismaAdapter } from "@next-auth/prisma-adapter";
import prisma from "/db/prisma";

export default NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
      authorization: {
        params: {
          prompt: "consent",
          access_type: "offline",
          response_type: "code",
        },
      },
      httpOptions: {
        timeout: 50000,
      },
    }),
  ],
  secret: process.env.SECRET,
  callbacks: {
    async signIn({ account, profile }) {
      if (account.provider === "google") {
        const user = await prisma.Invited_User.findUnique({
          where: {
            email: profile.email,
          },
        });
        if (user) {
          await prisma.Invited_User.update({
            where: {
              email: profile.email,
            },
            data: {
              status: "Active",
            },
          });
          return true;
        } else {
          return false;
        }
      }
    },
    async session({ session, user }) {
      const AuthUser = await prisma.Invited_User.findUnique({
        where: {
          email: user.email,
        },
        select: {
          role: true,
        },
      });
      await prisma.user.update({
        where: {
          email: user.email,
        },
        data: {
          role: AuthUser.role,
        },
      });

      session.user.ID = user.id;
      session.user.role = AuthUser.role;
      return session;
    },
  },
});

Here A user can log in with google if they are on the list, also season gets updated with their roles. I authenticate a user in getServerSideProps like this

import { getSession } from "next-auth/react";

export async function getServerSideProps(context) {
  const session = await getSession(context);
  if (!session) {
    return {
      redirect: {
        destination: "/warning",
        permanent: false,
      },
    };
  }
  if (session && session.user.role === "ADMIN") {
    const DBdata = await axios
      .get(`${process.env.NEXTAUTH_URL}/api/backend/something`)
      .then((res) => res.data)
      .catch((error) => console.log(error));

    return {
      props: { session: JSON.parse(JSON.stringify(session)), DBdata },
    };
  }
}

Everything works fine. But in this setup, how I could a protect an API route ? pages/api/backend/something
Like now anyone gets a request on api/backend/something but I want only my application user can do it, no external users.
I am using next-connect and here is what my current API configuation may look likes

import nc from "next-connect";
import prisma from "/db/prisma";

const handler = nc({
  onError: (err, req, res, next) => {
    console.error(err.stack);
    res.status(500).end("Something broke!");
  },
  onNoMatch: (req, res, next) => {
    res.status(404).end("Page is not found");
  },
}).get(async (req, res) => {
  
  try {
    const Data = await prisma.Something.findMany({});
    res.status(200).json(Data);
  } catch (error) {
    console.error(error);
    res.status(500).json(error);
  }

});

export default handler;

Answered by Sakkhor909

Jul 2, 2022

My current solution :

When fetching data send cookie

import { getSession } from "next-auth/react";

export async function getServerSideProps(context) {
  const session = await getSession(context);
  if (!session) {
    return {
      redirect: {
        destination: "/warning",
        permanent: false,
      },
    };
  }
  if (session && session.user.role === "ADMIN") {
    const DBdata = await axios
      .get(`${process.env.NEXTAUTH_URL}/api/backend/something`, {
        headers: { Cookie: context.req.headers.cookie },
      })
      .then((res) => res.data)
      .catch((error) => console.log(error));

    return {
      props: { session: JSON.parse(JSON.stringify(session)), DBdata }…

View full answer

Sakkhor909 · 2022-07-02T13:57:47Z

Sakkhor909
Jul 2, 2022
Author

My current solution :

When fetching data send cookie

import { getSession } from "next-auth/react";

export async function getServerSideProps(context) {
  const session = await getSession(context);
  if (!session) {
    return {
      redirect: {
        destination: "/warning",
        permanent: false,
      },
    };
  }
  if (session && session.user.role === "ADMIN") {
    const DBdata = await axios
      .get(`${process.env.NEXTAUTH_URL}/api/backend/something`, {
        headers: { Cookie: context.req.headers.cookie },
      })
      .then((res) => res.data)
      .catch((error) => console.log(error));

    return {
      props: { session: JSON.parse(JSON.stringify(session)), DBdata },
    };
  }
}

In API middileware

import nc from "next-connect";
import { getSession } from "next-auth/react";

const handler = nc({
  onError: (err, req, res, next) => {
    console.error(err.stack);
    res.status(500).end("Something broke!");
  },
  onNoMatch: (req, res, next) => {
    res.status(404).end("Page is not found");
  },
}).use(async (req, res, next) => {
  const session = await getSession({ req });
  if (!session) {
    res.status(401).json({ error: "Unauthenticated access!" });
  } else {
    next();
  }
});

export default handler;

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How to protect API routes ? #4797

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

How to protect API routes ? #4797

Uh oh!

Sakkhor909 Jun 29, 2022

Replies: 1 comment

Uh oh!

Sakkhor909 Jul 2, 2022 Author

Sakkhor909
Jun 29, 2022

Sakkhor909
Jul 2, 2022
Author