Replies: 14 comments 19 replies
-
A common pattern for handling unauthenticated access is to redirect the user to the sign-in page, and then make a successful sign-in redirect back to the original starting point. Can that pattern be replicated with |
Beta Was this translation helpful? Give feedback.
-
One thing that is still missing for me with Now that there are more pages with |
Beta Was this translation helpful? Give feedback.
-
Probably a good idea to also document on how streaming ( |
Beta Was this translation helpful? Give feedback.
-
So this is very nice and long awaited (no pun intended), but I'm wondering why we're sugaring over status codes instead of just letting us I get the advantage of custom error pages (unauthorized.tsx), but we're adding cruft to web standards by not just leaning on them and creating our own language. If we can put in any status code, we can do Can you explain the reasoning behind not just opening up any status code to be sent? |
Beta Was this translation helpful? Give feedback.
-
Maybe the possibility of passing down a payload to the unauthorized / forbidden page? e.g. for info on which scope a user is missing. Also a retry/reset function similar to error pages could be nice for forbidden, in case a colleague added the scope a few seconds later? |
Beta Was this translation helpful? Give feedback.
-
Is it possible to globally check whether a user is authenticated and invoke unauthorized() without having to implement the check on every individual route or page? Based on the current documentation, it seems necessary to perform this authentication check separately for each route. Is there a more efficient method or best practice for handling authentication across the entire application? Thank you for your assistance! |
Beta Was this translation helpful? Give feedback.
-
I'd like to suggest also exposing the Errors that are thrown by these methods or some function that can "identify" them. The reason is that these control flows are realised via JS errors that are thrown and sometimes in a catch block, you need to differentiate if it's a not found/unauthorized/forbidden error and then re-throw it while handling other application errors. It seems like library authors like for next-safe-action are reaching very deep into undocumented files to make this happen right now: https://github.com/TheEdoRan/next-safe-action/blob/86f00f422c6799e81c57d402dfc40354cf78db17/packages/next-safe-action/src/utils.ts#L5 |
Beta Was this translation helpful? Give feedback.
-
I wonder... why instead of making specific functions for “popular” http response types, better a generic function that allows us to respond with any type of http response? |
Beta Was this translation helpful? Give feedback.
-
Although they are useful, I wonder if it is appropriate to use them in server components. For me it makes more sense from an earlier stage, the middleware, to check this and return the Response if necessary with the appropriate status. In the end if you are already rendering the page in streaming the headers have already been sent and using these methods cause a soft-redirect from the client, where the status is always 200, which is fine to give feedback to the users, but I have my doubts if it is good practice. |
Beta Was this translation helpful? Give feedback.
-
Could you share the suggested approach for implementing reverification? (e.g. user is allowed to perform, but needs to reverify their credentials before the sensitive action is allowed). We are unsure how to solve it with this API, primarily because we think we'd need "cause" on the client. We're particularly interested in how we can do it as a library, but happy to try and derive from the individual developer example. The specific examples we'd like to understand are:
Alternatively - is the advice not to use these APIs and return early instead? If so, can you provide a mental model for when a throw-based flow is suggested (redirect/forbidden/notFound) vs when a early return flow is suggested? |
Beta Was this translation helpful? Give feedback.
-
From what I can tell, I am aware that the 401 HTTP response is also named "Unauthorized", which is probably where your naming convention is taken from. |
Beta Was this translation helpful? Give feedback.
-
In this component, can we know which page the user is coming from? I like to redirect users to the page they were trying to access after signing in. Currently doing it with cookies in a dirty way. I'd like to replace it with this api, I could save the pathname to localStorage and then I can ask if they like to go to that page after they sign in.
import Link from 'next/link';
export default function Unauthorized() {
return (
<div>
<h2>Unauthorized</h2>
<p>Please log in to access this page.</p>
<Link href="/login">Go to Login</Link>
</div>
);
} |
Beta Was this translation helpful? Give feedback.
-
Would it be possible to create a NextJS API for doing this with any HTTP status code? Or at least some more of the SEO related ones? Our sites heavily rely on SEO and we sometimes want to utilize 410 (Gone) and other more "edge case" statuses. There are a few more discussions on this: |
Beta Was this translation helpful? Give feedback.
-
This RFC is definitely a positive step forward, this has been a pain point throughout my time using Next App Router - but I need to raise a use case that isn't covered. I'm using the casl library to handle permissions checking, which has a import { ForbiddenError } from "@casl/ability";
import { getAbilityForUser } from "@/lib/auth";
export default async function FooPage() {
const ability = await getAbilityForUser();
ForbiddenError.from(ability).throwUnlessCan("read", "Post"); // throws a ForbiddenError if the user doesn't have the right permission
} However, this is still caught as a normal error. I can work around this by doing something like export default async function FooPage() {
const ability = await getAbilityForUser();
if (!ability.can("read", "Post")) {
forbidden();
}
} However, one case where I can't use this workaround is when using the casl Prisma integration and its import { accessibleBy } from "@casl/prisma";
export default async function FooPage() {
const ability = await getAbilityForUser();
// This throws a casl ForbiddenError if the user cannot access any Posts
const posts = await prisma.post.findMany({
where: accessibleBy(ability).Post,
});
} I can work around this by catching the error but it gets ugly quick, particularly if you have multiple database reads in a component: export default async function FooPage() {
const ability = await getAbilityForUser();
let posts;
try {
posts = await prisma.post.findMany({
where: accessibleBy(ability).Post,
});
} catch (e) {
if (e instanceof ForbiddenError) {
notFound();
}
throw e;
}
} |
Beta Was this translation helpful? Give feedback.
-
Overview
If you’re familiar with the App Router, you’ve likely used
notFound()
to trigger 404 behavior alongside the customizablenot-found.tsx
file. In Next 15, we're actively exploring extending this approach to authorization errors:•
forbidden()
triggers a 403 error with customizable UI viaforbidden.tsx
.•
unauthorized()
triggers a 401 error with customizable UI viaunauthorized.tsx
.Good to know: As with
notFound()
errors, the status code will be a 200 if the error is triggered after initial response headers have been sent. Learn more.Enabling the feature
As this feature is still experimental, you’ll need to enable it in your
next.config.js
file:Using
forbidden()
andunauthorized()
You can use
forbidden()
andunauthorized()
in Server Actions, Server Components, Client Components, or Route Handlers. Here’s an example:Creating custom error pages
To customize the error pages, create the following files:
You can read more about the APIs in the forbidden and unauthorized documentation.
Note: before we stabilize this feature for 15.2, we're planning on adding more capabilities and improvements to the APIs to support a wider range of use cases.
We're actively iterating on this API and would love to hear your feedback about how it could be improved. Please feel free to leave any comments/suggestions/concerns in this thread. Thank you!
Beta Was this translation helpful? Give feedback.
All reactions