You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: readme.md
+5-13
Original file line number
Diff line number
Diff line change
@@ -86,29 +86,21 @@ We provide an extremely simplifed deployment process for heroku.
86
86
87
87
That's it! Your app should be live and shareable. Type `heroku open` to view it.
88
88
89
-
## Setting up Route authorization
89
+
## Route authorization with Passport boilerplate
90
90
91
-
If your app uses the Passport boilerplate for accounts, you will want to restrict access to certain client routes/api routes.
91
+
For restricting server API routes to authenticated users, you can pass your routes through the `auth` middleware, which will send a 401 unauthorized error if a request is made from someone thats not logged in.
92
92
93
-
For restricting server API routes, we can use the `auth` middleware, which will send a 401 unauthorized error if a request is made from someone thats not logged in.
93
+
The client side will automatically send you to the login page if it receives a 401 error.
94
94
95
-
For restricting routes on the client side, we automatically handle 401s sent from the server by redirecting you to the login page.
96
-
97
-
However, as this will load part of the page before redirecting, it will cause a flicker. So this should only be used as a fallback mechanism. A better way to handle restricted pages is to mark the routes on the client side that you want to require authentication for.
95
+
However, as this will load part of the page before redirecting, it will cause a flicker. A way to avoid this is to to mark the routes on the client side that you want to require authentication for.
98
96
99
97
You can do this from your `app.js` by adding the following to any client routes that you want to restrict to logged in users.
100
98
101
99
```
102
100
authenticate: true
103
101
```
104
102
105
-
This redirects the user to the login page before attempting to load the new route, avoiding the flicker.
106
-
107
-
Please keep in mind this client routing is only for improving the user interface. Make sure you **secure your server API** routes and don't give any sensitive information unless the user is authenticated or authorized.
108
-
109
-
#### How do I only let authorized users access an api route?
110
-
111
-
Similarly to how the `auth` middleware checks if a user authenticated before going to the next route, you can make an ensureAuthorized middleware that checks the users role, or some other field, before sending them to the protected route, otherwise have it sends a `403` error.
103
+
Keep in mind this client routing is only for improving the user interface. Make sure you secure your server API routes and don't give any sensitive information unless the user is authenticated or authorized.
0 commit comments