App Router 中的身份验证跨越多个层次——session、middleware、服务器端检查和保护 Server Actions。现代方法倾向于使用服务器端 session 验证而不是仅客户端检查。
Session 策略
text
Cookie-based sessions (httpOnly cookie):
✓ Store a signed session id or encrypted JWT in an httpOnly, secure cookie
✓ httpOnly = not readable by JavaScript → protects against XSS token theft
✓ Use a library: Auth.js (NextAuth), Clerk, Lucia, or a custom solution
1. 在 middleware 中进行粗粒度防护(快速,但不是全部)
ts
() {
session = req..()?.;
(req...() && !session) {
.( (, req.));
}
.();
}
