f691258a5c
* refactor(agents): move prescriptive content from knowledge-base to rules - Create architecture-page-level-auth.md for Next.js auth checks - Create data-prefer-select-over-include.md for Prisma query optimization - Create performance-dayjs-usage.md for Day.js performance guidelines - Create quality-avoid-barrel-imports.md for import best practices - Update knowledge-base.md to reference rules directory - Remove duplicated prescriptive content from knowledge-base.md Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * chore(agents): remove redundant rules reference from knowledge-base Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> * docs: add agents/rules reference to AGENTS.md extended documentation Co-Authored-By: eunjae@cal.com <hey@eunjae.dev> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
1.7 KiB
1.7 KiB
title, impact, impactDescription, tags
| title | impact | impactDescription | tags |
|---|---|---|---|
| Page-Level Authorization Checks in Next.js | CRITICAL | Prevents unauthorized access to sensitive data | security, nextjs, authorization, architecture |
Page-Level Authorization Checks in Next.js
Impact: CRITICAL (Prevents unauthorized access to sensitive data)
Authorization checks must be performed in page.tsx or server components, never in layout.tsx. Layouts don't intercept all requests and can be bypassed.
Incorrect (auth checks in layout):
// app/admin/layout.tsx - DON'T DO THIS
export default async function AdminLayout({ children }) {
const session = await getUserSession();
if (!session?.user.role === "admin") {
redirect("/");
}
return <div>{children}</div>;
}
Correct (auth checks in page):
// app/admin/page.tsx
import { redirect } from "next/navigation";
import { getUserSession } from "@/lib/auth";
export default async function AdminPage() {
const session = await getUserSession();
if (!session || session.user.role !== "admin") {
redirect("/"); // Or show an error
}
// Protected content here
return <div>Welcome, Admin!</div>;
}
Why layouts are unsafe for auth:
- Layouts don't intercept all requests (direct navigation, refreshes)
- APIs and server actions bypass layouts entirely
- Risk of data leaks if layout check is skipped
Key rules:
- Check permissions inside every restricted
page.tsx - Validate session/user/role before querying sensitive data
- Redirect or return nothing to unauthorized users before running restricted code
Reference: Next.js Security Best Practices