How to Protect Routes in Next.js Effectively

nextjs interview questions

Question 3 / 20

Keep going — you're making progress.

How do you protect routes in Next.js?

Protecting routes in Next.js is crucial for ensuring that only authorized users can access certain pages or components of your application. This can be achieved using various methods, including server-side rendering (SSR), client-side authentication checks, and middleware. Below, I will outline some effective strategies for route protection in Next.js.

Server-Side Authentication

One of the most secure methods for protecting routes is to implement server-side authentication using Next.js's `getServerSideProps` function. This allows you to check user authentication status before rendering a page.


export async function getServerSideProps(context) {
  const { req } = context;
  const user = await getUserFromSession(req); // Fetch user from session

  if (!user) {
    return {
      redirect: {
        destination: '/login',
        permanent: false,
      },
    };
  }

  return {
    props: { user }, // Pass user data to the page
  };
}

In this example, if the user is not authenticated, they are redirected to the login page before the page is rendered.

Client-Side Authentication

For client-side route protection, you can use React hooks to check authentication status. This is useful for protecting routes that are already rendered on the client side.


import { useEffect } from 'react';
import { useRouter } from 'next/router';

const ProtectedPage = () => {
  const router = useRouter();
  const user = useAuth(); // Custom hook to get user state

  useEffect(() => {
    if (!user) {
      router.push('/login'); // Redirect if not authenticated
    }
  }, [user]);

  return Protected Content;
};

In this example, the `useEffect` hook checks if the user is authenticated and redirects them if not. This ensures that protected content is only shown to authenticated users.

Using Middleware for Route Protection

Next.js 12 introduced middleware, which allows you to run code before a request is completed. This can be used for route protection as well.


import { NextResponse } from 'next/server';

export function middleware(req) {
  const token = req.cookies.get('token'); // Get token from cookies

  if (!token) {
    return NextResponse.redirect('/login'); // Redirect if no token
  }

  return NextResponse.next(); // Proceed to the requested page
}

With middleware, you can protect multiple routes efficiently without repeating authentication logic in each page component.

Best Practices

Always validate user sessions on the server side to prevent unauthorized access.
Use secure cookies for storing authentication tokens.
Implement role-based access control if your application has different user roles.
Keep sensitive logic on the server side to avoid exposing it to the client.

Common Mistakes

Relying solely on client-side checks, which can be bypassed.
Not handling token expiration properly, leading to unauthorized access.
Failing to secure API routes, which can expose sensitive data.

By following these strategies and best practices, you can effectively protect routes in your Next.js application, ensuring a secure and user-friendly experience.