Add support for public and private routes for access control based on authentication

[phoenixfusionx]

Goals

1. Simplify authentication flow by enabling route-level access control using a declarative pattern.
2. Allow developers to mark routes as public or private without writing repetitive logic.
3. Improve maintainability and scalability of auth logic across app routes.

Non-Goals

No response

Background

Currently, handling public and private routes in Next.js requires boilerplate in each route using getServerSession, useSession, or custom middleware. This approach quickly becomes repetitive and error-prone, especially in large applications with multiple protected routes.

Some developers build their own abstractions, but there is no official or standardized way to declare route-level access rules. A declarative configuration or convention (e.g., metadata on route files or a centralized config) would improve DX and reduce redundancy. Other frameworks (like Remix or Nuxt) offer similar patterns and have demonstrated value in streamlining auth flows.

Proposal

Introduce a built-in mechanism to label routes (in the app directory) as public or private. This could be achieved through:

• A conifg export in page.tsx or layout.tsx, e.g:

export const config = {
  auth: 'private' // or 'public'
}

• Or, use file conventions like +private.tsx, though this may be less scalable.
  When auth: 'private' is set, Next.js can:
• Automatically check the session via middleware or getServerSession.
• Redirect unauthenticated users to a login page.
• Optionally allow a custom redirect config (redirectTo: '/auth/login').
  This would reduce complexity for developers and encourage consistent patterns for access control.