You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using hooks.server.ts for jwt auth in my app, you can find my code here: GitHub
And I have a dilemma on what to do when user try to access protected route without access token.
Currently, I'm using redirect() to reroute a user when they don't have permissions to access a route. While this works, it doesn’t trigger load() method from layout.server.ts in which I load some data if the user is logged in. So what might happen is that user is logged in, data is loaded, then cookies are deleted, user tries to access a route, it gets redirected from the protected route, but that data is still loaded, because load didn't rerun, and data will be visible on the page, which should not happen. User can't do anything without access token, so security wise it should be fine, but still, it's not ideal.
The other solution is to throw error() when user doesn't have permissions, which seems like the best approach to me, but the problem is that when I use error(), sveltekit will send that error to error.html fallback page, which is not great for customization, and the page will not have the same look and feel as others. I found a workaround for this, but it just doesn't seem right.
And the third option, which currently works best, is to create a new route /auth/error, I'll then redirect user from hooks.server.ts there, and onMount of that component I will do await invalidateAll() which will trigger load() to rerun, following with goto('/auth/sign-in'), but this just feels a bit hacky.
So is there any other option? Is there a possibility to add invalidateAll flag to redirect(), like it's done for goto()? Can you somehow throw an error from server hook in +error.svelte instead of error.html?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi all,
I'm using
hooks.server.tsfor jwt auth in my app, you can find my code here: GitHubAnd I have a dilemma on what to do when user try to access protected route without access token.
Currently, I'm using
redirect()to reroute a user when they don't have permissions to access a route. While this works, it doesn’t triggerload()method fromlayout.server.tsin which I load some data if the user is logged in. So what might happen is that user is logged in, data is loaded, then cookies are deleted, user tries to access a route, it gets redirected from the protected route, but that data is still loaded, because load didn't rerun, and data will be visible on the page, which should not happen. User can't do anything without access token, so security wise it should be fine, but still, it's not ideal.The other solution is to throw
error()when user doesn't have permissions, which seems like the best approach to me, but the problem is that when I useerror(), sveltekit will send that error toerror.htmlfallback page, which is not great for customization, and the page will not have the same look and feel as others. I found a workaround for this, but it just doesn't seem right.And the third option, which currently works best, is to create a new route
/auth/error, I'll then redirect user fromhooks.server.tsthere, andonMountof that component I will doawait invalidateAll()which will triggerload()to rerun, following withgoto('/auth/sign-in'), but this just feels a bit hacky.So is there any other option? Is there a possibility to add
invalidateAllflag toredirect(), like it's done forgoto()? Can you somehow throw an error from server hook in+error.svelteinstead oferror.html?P.S same discussion on Reddit
Beta Was this translation helpful? Give feedback.
All reactions