Security

Route Protection

Complete guide to protecting routes, pages, and API endpoints with AuthCore's middleware and hooks.

🎣 Client-Side

Use hooks and HOCs for protecting React components and pages

🛡️ Server-Side

Use middleware for protecting API routes and server components

Client-Side Protection

1. useAuth Hook

The primary hook for authentication state and operations. Use this for conditional rendering and checking user permissions.

components/ProtectedContent.tsx

Available Properties:

  • user - Current user object or null
  • isAuthenticated - Boolean authentication status
  • isLoading - Loading state during auth operations
  • login() - Login function
  • logout() - Logout function
  • register() - Registration function

2. withAuth HOC (Higher-Order Component)

Wrap entire pages with authentication protection. Automatically redirects unauthenticated users.

pages/dashboard.tsx

Role-Based Protection

pages/admin/dashboard.tsx

Convenience Exports

Pre-configured HOCs for common use cases:

Convenience HOCs

💡 withAuth Options

  • requiredRole - Required role ('USER' | 'TENANT_ADMIN' | 'SUPER_ADMIN')
  • redirectTo - Custom redirect path (default: '/demo/login')
  • requireVerifiedEmail - Require email verification
  • allowUnverified - Allow access even if email not verified

Server-Side Protection

3. API Routes Middleware

Protect Next.js API routes with server-side middleware functions.

pages/api/protected-data.ts

Available Middleware Functions

API Route Middleware Options

Middleware Composition:

  • protectedRoute = authenticate + requireUser + requireTenant
  • adminRoute = authenticate + requireTenantAdmin + requireTenant
  • superAdminRoute = authenticate + requireSuperAdmin
  • authRoute = resolveTenant + rateLimit + auditLog

4. Next.js Middleware (Edge)

Protect multiple routes at once with Next.js middleware. Runs at the edge before requests reach your pages.

middleware.ts

Important

Don't protect your login page with middleware! Use the matcher pattern to exclude auth pages.

5. Server Components (App Router)

Protect App Router pages with server-side session checks.

app/dashboard/page.tsx

6. Server Actions

Protect server actions with session checks.

app/actions.ts

Real-World Examples

Dashboard with Role Checks

pages/dashboard.tsx

API Route with Conditional Logic

pages/api/user/data.ts

Best Practices

✓ Use Server-Side Protection for Sensitive Data

Always validate permissions on the server (API routes, server components). Client-side checks are for UX only.

✓ Combine Client and Server Protection

Use withAuth for pages + middleware for API routes for defense in depth.

✓ Use Role-Based Access Control (RBAC)

Leverage the built-in role system (USER, TENANT_ADMIN, SUPER_ADMIN) instead of custom permission flags.

✗ Don't Rely Only on Client-Side Protection

Client-side checks can be bypassed. Always validate on the server for security-critical operations.

✗ Don't Protect Login/Register Pages

Exclude authentication pages from middleware protection to avoid redirect loops.

Quick Reference

MethodTypeUse Case
useAuthHookConditional rendering in components
withAuthHOCProtect entire pages (client-side)
protectedRouteMiddlewareProtect API routes
adminRouteMiddlewareAdmin-only API routes
withAuth (middleware)Edge MiddlewareProtect multiple routes at once
getServerSessionServerServer components / Server actions

Next Steps

Authentication Hooks →

Learn about all available hooks for auth operations

Security Features →

Explore advanced security features like 2FA and lockout policies

Multi-Tenancy →

Learn about organization-level access control

Complete Examples →

See full working examples with protection