[Question] How can I secure private pages, server side / ssr?

[ijpatricio]

Hello everyone.

To handle private pages, I would expect the content to be only available server side, behind authentication (I'll be using Laravel Sanctum).

As per the reading, discussion, issues etc, I understand all the nuxt/content is not server side, am I right?

To do that, should I use Custom sources?

https://content.nuxt.com/docs/advanced/custom-source

Would I have to render the the thing in SSR, or provide the file contents in a JSON?

Or is there already a way I just wasn't able to find it?

[codebykyle]

Custom sources are called at build-time, downloaded, and a database dump of the details is generated.

Nuxt is built, which generates the client and the server. Nuxt content generates all of its pages, dumps, etc, at build time, including custom sources. When a user requests data from a specific collection, nuxt content will download a sql_dump.txt of that collection and load it into a client-side sqlite database running in the browser.

In other words, those are still available in the client.

You can have a look at the .data/content/contents.sqlite file to see what the client will have access to.

When the user wants a specific database, they hit the /__nuxt_content/ route

content/src/module.ts

Line 152 in a9fed2f

manifest.collections.forEach((collection) => {

    nuxt.options.routeRules![`/__nuxt_content/**`] = { robots: false }

    manifest.collections.forEach((collection) => {
      if (!collection.private) {
        nuxt.options.routeRules![`/__nuxt_content/${collection.name}/sql_dump.txt`] = { prerender: true }
      }
    })

You can create server middleware to dictate if the user can download the dump, perhaps?

Alternatively you could solve this through an external application like traefik and a reverse proxy with forward auth. Something like Authentik works completely out of the box and lets you secure content on the proxy level.

You could also block the client from accessing a particular dump, but allow the server to access it, and then access your content via an api endpoint and useFetch, with some authentication middleware. You would lose access to a lot of the client side features that come with nuxt content, but could still use markdown and whatnot for your content.

[ijpatricio]

Hi @codebykyle

Thanks for the detailed info!

There was a time where I would definitely pursue the reverse proxy path, Authentik, Authelia, etc. I'm now old 😄 I like simple solutions, easily replicable.

Would it be impossible to just not build anything before hand?

Having the files, but No collection configured in the Content.
I would make the Page server side route, with the slug param. The action would retrieve the file contents, in runtime, parse the markdown, and render the response.

I'm assuming we would loose the search feature in the body contents. That could be thought later, maybe just by indexing only titles.

Is this very hard to achieve?

[TheAnachronism]

I've been thinking about this problem as well for some time, as I also have some pages I'd like to move behind an authentication wall. Something that has come up, that might actually be somewhat related to this, is that with really large collections of markdown-content, the databases get huge. Which means when the client access content related to these pages, this huge collection dump is downloaded to the client, even though they might only ever access 2 pages of it.
My solution to this has been to just never call something like queryCollection on the client, and move all those calls to server-side endpoints. It would be quite nice if it was possible which collections are downloadable to the client.
Furthermore, due to the database dumps always being served publicly, restricting content behind an authentication wall is a bit difficult, as those dumps could theoretically still be accessed.
I've deployed my site onto Cloudflare pages, and currently I am looking into solutions to block clients from downloading these database dumps, as I query the entire thing from the server anyways.