content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon nuxt

Using the @nuxt/auth module

Open peterhijma opened this issue 5 years ago • 4 comments
trafficstars

I could not find an answer to this question yet.

I'm using @nuxt/auth and have it set up globally in nuxt.config.js. If I'm not logged in, going to any page will redirect me to the login page. However, if I go to ../_content I can view all data. Is it possible to put this endpoint "behind bars"?

BTW: I'm using nuxt start and dev mode is turned off. Shouldn't the whole endpoint be invisible then? Bug?

Thanks in advance!

peterhijma avatar Sep 30 '20 10:09 peterhijma

Hi @phijma

If I understand correctly, you want to protect some of the files inside content/ only if you are connected with @nuxt/auth?

Do do this, I think we can imagine a guard hook but it is tricky since @nuxt/auth is working inside the Nuxt application to give your $auth.loggedIn and not accessible inside the server middleware.

This is something we need to discuss with @pi0 and @benjamincanac for sure.

atinux avatar Oct 01 '20 14:10 atinux

Thanks for the response @Atinux

I'll clarify my goals:

I protect my frontend using @nuxt/auth globally. This works very well, also in combination with @nuxt/content. The pages I created inside the folder pages, which display the contents are all protected properly.

But since a while you can go directly to some_domain/_content/ (https://content.nuxtjs.org/advanced#api-endpoint) to check some JSON.

It says there: This module exposes an API endpoint in development so you can easily see the JSON of each directory or file

But, I don't want to expose this endpoint in production to users, because that is kind of a leak of my content inside the content folder. As the docs talk about development, I think the fact that this endpoint is also visible in production could be a bug.

One workaround I found was by deleting this part in the source: https://github.com/nuxt/content/blob/0c6df8f2c159ff2feac102c5b6a4a5a3ac270c81/packages/content/lib/index.js#L143

Maybe the solution is just to put a condition around this part? (if env == "development", or something like that).

peterhijma avatar Oct 01 '20 14:10 peterhijma

I am adding the pending label for this one.

I believe this could be added for the version 2 when using the API in production, because it is impossible to hide it for full static generation since the db.json will be exposed anyway.

atinux avatar Dec 18 '20 14:12 atinux

Is this still pending?

I think it would also be beneficial to Nuxt Studio if developers could easily offer themes that can control access the Nuxt Content.

Related: https://github.com/nuxt/content/issues/1977 and https://github.com/nuxt/content/discussions/1532

oripka avatar Oct 05 '23 20:10 oripka