Unaweza kuhandle ushahidi wa uthibitisho katika aplikasyon ya Next.js App Router?

Question

Accepted Answer

Uthibitisho katika App Router inaenea katika tabaka kadhaa — vikali, middleware, ukaguzi wa upande wa seva, na kulinda Server Actions. Mkakati wa kisasa unakubaliana **na ukaguzi wa vikali upande wa seva** juu ya ukaguzi wa mteja tu. ## Mkakati wa vikali ```text Cookie-based sessions (httpOnly cookie): ✓ Store a signed session id or encrypted JWT in an httpOnly, secure cookie ✓ httpOnly = not readable by JavaScript → protects against XSS token theft ✓ Use a library: Auth.js (NextAuth), Clerk, Lucia, or a custom solution ``` ## 1. Kuzuia kwa ujumla katika middleware (kasi, lakini si hadithi nzima) ```ts // middleware.ts — quick check: does a session cookie exist? export function middleware(req: NextRequest) { const session = req.cookies.get("session")?.value; if (req.nextUrl.pathname.startsWith("/dashboard") && !session) { return NextResponse.redirect(new URL("/login", req.url)); } return NextResponse.next(); } ``` Middleware inaendeshwa kwenye Edge kabla ya kila ombi linalofanana — bora kwa uelekezaji wa bei nafuu. Lakini inapaswa tu kufanya ukaguzi wa *mwingine* wa kuwepo; usitegeme kama kuzuia kwa peke yake (kuki inaweza kuwa batili). ## 2. Kathibiti vikali ambapo unaviondokeza (mlango halisi) ```tsx // app/dashboard/page.tsx — verify on the server, in the page itself import { redirect } from "next/navigation"; export default async function Dashboard() { const user = await getCurrentUser(); // validates the session cookie server-side if (!user) redirect("/login"); // authoritative check return

Welcome {user.name}

; } ``` Ukaguzi huu wa vikali upande wa seva (katika Server Component) ni ukaguzi **wenye mamlaka** — kwa kweli unatathibiti vikali na kupakia mtumiaji. ## 3. Kulinda Server Actions na Route Handlers pia ```tsx "use server"; export async function deletePost(id: string) { const user = await getCurrentUser(); if (!user) throw new Error("Unauthorized"); // never trust the caller if (post.authorId !== user.id) throw new Error("Forbidden"); // authorization await db.post.delete({ where: { id } }); } ``` Server Actions ni mihtasari ya umma — **kila wakati uthihimizaji mwanzo na upendeleo ndani yao**, bila kujali kuzuia kwa ngazi ya UI. ## Kwa nini ukaguzi wa tabaka ```text Middleware → fast redirect for the common case (better UX, not security-critical) Server Component/Action → real verification (security boundary) Never rely on hiding UI in the client as a security measure ``` ## Kwa nini inamaanisha Uthibitisho katika App Router ni ulinzi wa kina: cookies httpOnly (vikali salama kutoka kwa XSS), middleware kwa kuelekezwa kwa haraka, na — muhimu sana — **ukaguzi wa upande wa seva kwa kila nukta ya kufikia na kuabadilisha data**. Kosa la kawaida na hatari ni kutibu ukaguzi wa middleware au UI iliyofichwa ya mteja kama ya kutosha; ulinzi halisi unatoka katika kuthibitisha vikali na upendeleo kwenye seva kila mahali ambapo data nyeti inasomwa au kubadilishwa.