feat: add middleware for protected routes

[Fedeorlandau]

Hi there, on almost every next.js app I needed to add some sort of middleware to protect routes like /dashboard or /admin

What do you think of adding this middleware example on the next-auth boilerplate?

Regards.

P.S : I've also upgraded eslint-config-next to match the latest nextjs version

[wlechowicz]

IMO feels a step over the border of the scaffolding realm.

[Fedeorlandau]

IMO feels a step over the border of the scaffolding realm.

I'd argue that is doing the same as the existing protected endpoint but for routes. Maybe removing the protected endpoint example is the real deal.

I can do it if the people agree.

[wlechowicz]

Actually, I think you're right. It's a valuable example of a working middleware and route matcher. One thing I'd suggest is that the comment could be moved to the top, like in the restricted.ts file, so it's the first thing that the user hits, and that it spells out that it's an example, just like the other file.

[juliusmarminge]

Works as intended. Now it's just deciding if we want this or not and I leave that to @nexxeln

[nexxeln]

I think this would be valuable.
@theobr What do you think?

[michaelwschultz]

FWIW I find this super useful as someone who always has trouble with the semantics around auth and relies on opinionated starters like this to show me the way.

[t3dotgg]

Down to include this. Would like to be way more explicit in the code, file naming etc that "this is a way to BLOCK ACCESS TO ROUTES" so we're not guiding users down this path incorrectly just because it's there

[t3dotgg]

I thought about this more and it feels like something we're not building. This is more an "example", one that's already in other sample repos 🤔🤔

[Fedeorlandau]

I thought about this more and it feels like something we're not building. This is more an "example", one that's already in other sample repos 🤔🤔

It's an example indeed. Again, the reason why I added this is because we have another example for restricted endpoints which is a copy of the next-auth protected endpoint example.
IMO if this PR doesn't go in, then the restricted endpoint must go away.

I really don't know what do lol

[CarlosGomez-dev]

I think it's valuable to have both, it's common to want to protect endpoint and routes, and we already have the endpoint example

[Fedeorlandau]

Closing this PR as it's implying that this is the right way to do protected routes. Something that we can't really guarantee.

If you're looking to do something like this please refer to next-auth official docs.

Cheers!