SvelteKit
using +auth.server.ts
exampleThis is a repository demonstrating a solution to the current difficulties using authorization in SvelteKit
as discussed here.
I want to showcase the pain points of dealing with authorization in more complex applications.
The solution forsees that SvelteKit
should offer a built-in way to handle authorization. Key-aspects are:
+auth.server.ts
that exports a guard
function+auth.server.ts
guards of the current route will run (all parents)+layout
and +page
files+layout
and +page
load
s get executed that are on the current level or below the guard that throws+layout
files will run after a guard throws and should have the same error-handling behavior as if the load
function inside the co-located +layout
file would throw in it's first line.RequestHandler
s (POST
, DELETE
, etc.)+auth.server.ts
should be completely optional. If someone does only need basics, he can probably handle it in hooks.server.ts
.Those are the points I would consider. This is just a proposal and the naming and details are open to discuss.
The main
-branch implements an example with the current version of SvelteKit
and tries to demonstrate what you need to consider when you try to use authorization in an application. I have identified 10 issues, you need to consider when you really want to make sure to protect your application (search for 'potential issue:').
The rfc
-branch wants to show how you would write your application using the +auth.server.ts
approach mentioned above.
Note: the routes will not actually be protected when you try to run this example, because
+auth.server.ts
is just a concept for now.
This PR shows the differences of both approaches.
If you know other benefits (or downsides) to this approach, feel free to open an issue or a PR to demonstrate it in both branches.
hooks.server.ts
:SvelteKit
applications.vite
-plugin