Is it needed to check the signed-in status of a user when my middleware does it, using clerk?
I am building a simple app with NextJs and Clerk.
I set up the middleware to protect all routes but some.
import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server';
const isPublicRoute = createRouteMatcher(['/sign-in(.*)', '/sign-up(.*)']);
export default clerkMiddleware((auth, request) => {
if (!isPublicRoute(request)) {
auth().protect();
}
});
export const config = {
matcher: [
// Skip Next.js internals and all static files, unless found in search params
'/((?!_next|[^?]*\\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)',
// Always run for API routes
'/(api|trpc)(.*)',
],
};
After playing a bit with it, I was wondering: on my protected pages, do I need to check if the user is signed in ? (e.g. using useUser() hook)
Shouldn't it be check by the middleware ? Do I still need to check it in case that could be bypassed?
Many thanks to anyone willing to teach me a bit about this.
Matthieu
No, this isn't necessary. Once you protect a route in middleware you cannot bypass that since it runs on every request.
In fact a scraper couldn't even know that a protected route exists without logging in unless you have a site map.
So yes you are good as long as Clerk behaves as it should.
However, if your concern is with security checkout security and privacy from the Clerk team.
- In NextJS while using TailwindCSS some components are taking different width
- How to redirect if the param is not present Next.JS
- Error: Could not resolve various Storybook dependencies with Storybook 8 and PNPM
- NextAuth: how to return custom errors without redirection
- How to create search in ui/shadcn?
- Cannot destructure property 'store' of 'useReduxContext(...)' as it is null
- How to export structured notes (image + text) from a Next.js app to Apple Notes?
- Are Next.js 13.4 Server Actions just a way to run api calls on the server side instead of the client side?
- next/image does not load images from external URL after deployment
- In hosting Next.js app to Vercel, backend API is not working
- How to detect change in the URL hash in Next.js?
- Pagination Navigation Not Displaying All Pages in React Component
- router.push() is not working as expected NextJS
- React 18: Hydration failed because the initial UI does not match what was rendered on the server
- Toast notification not triggering in Next.js contact form despite successful route and form submission
- Production build fails: Type error: Property 'companies' does not exist on type 'PrismaClient ...... whereas local build passes
- Next Image is not being displayed
- Connection Refused Between SSR Next.js and Laravel API
- Receiving attempted import error for JWT in Next.js
- callbackUrl not working in auth.js signin
- NextAuth Error 'MISSING_NEXTAUTH_API_ROUTE_ERROR' in Next.js 13 (app route)
- Warning: Text content did not match. Server: "I'm out" Client: "I'm in" div
- Next js with react-leaflet window is not defined when refreshing page
- Nextjs with react-leaflet - SSR, webpack | window not defined, icon not found
- react-select: How do I resolve “Warning: Prop `id` did not match”
- Dynamic meta deta is not updating as expected due to production static site generation
- How to remove Query Params
- Next js set query param. Why this way?
- How can I update the Session info on Every Refresh?
- How to use multiple middlewares in Next.js using the middleware.ts file?