Is it needed to check the signed-in status of a user when my middleware does it, using clerk?
I am building a simple app with NextJs and Clerk.
I set up the middleware to protect all routes but some.
import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
const isPublicRoute = createRouteMatcher(['/sign-in(.*)', '/sign-up(.*)']);
export default clerkMiddleware((auth, request) => {
if (!isPublicRoute(request)) {
auth().protect();
}
});
export const config = {
matcher: [
// Skip Next.js internals and all static files, unless found in search params
'/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)',
// Always run for API routes
'/(api|trpc)(.*)',
],
};
After playing a bit with it, I was wondering: on my protected pages, do I need to check if the user is signed in ? (e.g. using useUser() hook)
Shouldn't it be check by the middleware ? Do I still need to check it in case that could be bypassed?
Many thanks to anyone willing to teach me a bit about this.
Matthieu
No, this isn't necessary. Once you protect a route in middleware you cannot bypass that since it runs on every request.
In fact a scraper couldn't even know that a protected route exists without logging in unless you have a site map.
So yes you are good as long as Clerk behaves as it should.
However, if your concern is with security checkout security and privacy from the Clerk team.
- Outputting results from react-papaparse
- How to validate Stripe Elements form before calling stripe.confirmPayment
- Error: Failed to fetch RSC payload. Falling back to browser navigation
- How to Upgrade from ERC-721 to ERC721A in a Web3 Project Using JSON ABI?
- How to detect change in the URL hash in Next.js?
- scroll smooth doesn't work in laptop but work in mobile phone browser in nextjs website
- NextJS middleware does not seem to be triggered
- How can I create API end point in Next.js with query string
- Tanstack React-table column hidden on mobile screeen
- highcharts stock-tools not working(next.js)
- Using Highcharts with NextJS, The time (not the date) is repeating
- Route "/[locale]" used `params.locale`. `params` should be awaited before using its properties
- Running Telegram Mini app (web app) on localhost
- What should the canonical URL be for large e-commerce applications that have many filters?
- NextJS ImageError: Unable to optimize image and unable to fallback to upstream image
- TypeError: fs.readFileSync is not a function in Next.js
- Meaning of parentheses () in Next.js path
- Integration Issue with NextUI Components in Next.js 14 Project
- Get URL pathname in nextjs
- Could not resolve dependency: peer react@"^16.8.0 || ^17 || ^18 || ^19" from react-hook-form@7.53.1
- GTM: best way to manage a script that needs to run on certain routes in Next.js
- How to get query params using Server component (next 13)
- Next JS router.push not working without page reload
- Can I use pm2 to keep a Next.js app running
- Embed current build time into humans.txt file with nextjs
- Tailwind styles not applied in Netxjs project
- how to fix function component cannot be given refs while using framer motion useAnimate hook?
- Why is my nextjs server action being treated as a client routine?
- How to run Nextjs Backend with NextAuth alongside Keycloak in Local Kubernetes
- Next.js with next-redux-wrapper state is being reset to initial value when navigating using Link