admin管理员组文章数量:1391975
this works really well to do lazy loading to make a performant SPA:
import dynamic from 'next/dynamic';
const DynamicComponents: Record<string, React.ComponentType<ComponentProps<any>>> = {
UserPushNotifUpdates: dynamic(() => import('@/components/dd/push-notif/push-notifs-component'), {
loading: () => <LoadingComponent />,
}),
MatchPublic: dynamic(() => import('@/components/dd/match/match-2'), {
loading: () => <LoadingComponent />,
}),
MatchPrivate: dynamic(() => import('@/components/dd/match/match'), {
loading: () => <LoadingComponent />,
}),
AdminHome: dynamic(() => import('@/components/dd/admin/home/admin-home'), {
loading: () => <LoadingComponent />,
}),
AdminDashboard: dynamic(() => import('@/components/dd/admin/dashboard/admin-dashboard'), {
loading: () => <LoadingComponent />,
}),
};
the problem is that for security anybody could load any component - I want to restrict access to components in the same way we do with pages.
To my best knowledge, with Next.js, these import calls bypass middleware.
is there a way to get the middleware to work so we can always intercept import calls to modules like this and check for access?
this works really well to do lazy loading to make a performant SPA:
import dynamic from 'next/dynamic';
const DynamicComponents: Record<string, React.ComponentType<ComponentProps<any>>> = {
UserPushNotifUpdates: dynamic(() => import('@/components/dd/push-notif/push-notifs-component'), {
loading: () => <LoadingComponent />,
}),
MatchPublic: dynamic(() => import('@/components/dd/match/match-2'), {
loading: () => <LoadingComponent />,
}),
MatchPrivate: dynamic(() => import('@/components/dd/match/match'), {
loading: () => <LoadingComponent />,
}),
AdminHome: dynamic(() => import('@/components/dd/admin/home/admin-home'), {
loading: () => <LoadingComponent />,
}),
AdminDashboard: dynamic(() => import('@/components/dd/admin/dashboard/admin-dashboard'), {
loading: () => <LoadingComponent />,
}),
};
the problem is that for security anybody could load any component - I want to restrict access to components in the same way we do with pages.
To my best knowledge, with Next.js, these import calls bypass middleware.
is there a way to get the middleware to work so we can always intercept import calls to modules like this and check for access?
Share Improve this question edited Mar 19 at 17:48 Alexander Mills asked Mar 13 at 15:51 Alexander MillsAlexander Mills 101k166 gold badges537 silver badges918 bronze badges 5 |1 Answer
Reset to default 0alright so this is pretty straightforward generally, sadly only some will understand it, the key part is to use update (backend) Next.js middleware to match on components/assets being loaded.
this line:
req.nextUrl?.pathname?.startsWith('_next/')
the above will match on the components that get loaded on front-end, and there you can put your backend logic
const privateRouteMatcher = createRouteMatcher([
'/u/(.*)',
'/api/p/(.*)',
]);
export default middleware(async (auth, req: NextRequest) => {
const res = NextResponse.next();
if (req.nextUrl?.pathname?.startsWith('_next/')) {
// HANDLE ACCESS CONTROL LOGIC HERE
res.headers.set('x-middleware-cache', 'no-cache');
return res;
}
// For non-private routes, return early with CORS headers
if (!privateRouteMatcher(req)) {
return res;
}
// route to rest of the app
return res;
});
export const config = {
matcher: [
'/(.*)',
],
};
本文标签: nextjsSecure SPA with dynamic loading using nextdynamic but with *security*Stack Overflow
版权声明:本文标题:next.js - Secure SPA with dynamic loading using nextdynamic but with *security* - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744692389a2620072.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
dynamic(() => { runMiddleware(); return Component })– Duannx Commented Mar 15 at 6:50