codingstuff.io
ExploreTutorialsProblemsCS Subjects
Get Started
ExploreTutorialsProblemsCS Subjects
Get Started
codingstuff.io

Master the art of building software through interactive tutorials, real-world problems, and guided projects.

Pune, Maharashtra, India

codingstuffmail@gmail.com

Product

  • Explore
  • Tutorials
  • Problems
  • CS Subjects

Company

  • About
  • Contact
  • Privacy Policy
  • Terms & Conditions
  • Sitemap

© 2026 codingstuff.io. All rights reserved.

Built with ❤️ for developers everywhere

/
/
All Tutorials
▲

Next.js

36 / 73 topics
32Authentication and Authorization33JWT Authentication34OAuth Integration35Session Management36Protecting Routes
Tutorials/Next.js/Protecting Routes
▲Next.js

Protecting Routes

Updated 2026-04-20
2 min read

Introduction

Protecting routes is a critical aspect of web application security, ensuring that only authorized users can access certain pages or resources. In this section, we will explore various methods to protect routes in a Next.js application using the modern App Router, React Server Components, and async components.

Prerequisites

Before diving into the implementation details, ensure you have the following:

  • Basic understanding of Next.js.
  • A Next.js project set up with the App Router. If not, you can create one using:
    npx create-next-app@latest my-nextjs-app --typescript
    cd my-nextjs-app
    

Authentication Libraries

One of the most common ways to protect routes is by using authentication libraries. We will explore two popular libraries: next-auth and firebase.

Using Next-Auth

next-auth is a lightweight, open-source authentication library for Next.js applications.

Installation

First, install next-auth:

npm install next-auth

Configuration

Create an [...nextauth].js file in the app/api/auth directory:

// app/api/auth/[...nextauth]/route.js
import { NextAuth } from 'next-auth';
import Providers from 'next-auth/providers';

export const authOptions = {
  providers: [
    Providers.Google({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
    }),
  ],
};

const handler = NextAuth(authOptions);
export { handler as GET, handler as POST };

Protecting Routes

To protect a route, use the useSession hook provided by next-auth:

// app/protected/page.js
import { useSession } from 'next-auth/react';
import Link from 'next/link';

export default function Protected() {
  const { data: session, status } = useSession();

  if (status === 'loading') return <p>Loading...</p>;
  if (!session) return <Link href="/api/auth/signin">Sign in</Link>;

  return (
    <div>
      <h1>Protected Page</h1>
      <p>Welcome, {session.user.email}!</p>
    </div>
  );
}

Using Firebase

Firebase is another powerful tool for authentication and can be integrated with Next.js.

Installation

Install Firebase:

npm install firebase

Configuration

Set up Firebase in your project:

// app/firebase.js
import { initializeApp } from 'firebase/app';
import { getAuth } from 'firebase/auth';

const firebaseConfig = {
  apiKey: "YOUR_API_KEY",
  authDomain: "YOUR_AUTH_DOMAIN",
  projectId: "YOUR_PROJECT_ID",
  storageBucket: "YOUR_STORAGE_BUCKET",
  messagingSenderId: "YOUR_MESSAGING_SENDER_ID",
  appId: "YOUR_APP_ID"
};

const app = initializeApp(firebaseConfig);
export const auth = getAuth(app);

Protecting Routes

Create a custom hook to check authentication status:

// app/hooks/useAuth.js
import { useState, useEffect } from 'react';
import { auth } from '../firebase';

export function useAuth() {
  const [user, setUser] = useState(null);

  useEffect(() => {
    const unsubscribe = auth.onAuthStateChanged((authUser) => {
      if (authUser) {
        setUser(authUser);
      } else {
        setUser(null);
      }
    });

    return () => unsubscribe();
  }, []);

  return user;
}

Use this hook to protect routes:

// app/protected/page.js
import { useAuth } from '../hooks/useAuth';
import Link from 'next/link';

export default function Protected() {
  const user = useAuth();

  if (!user) return <Link href="/login">Sign in</Link>;

  return (
    <div>
      <h1>Protected Page</h1>
      <p>Welcome, {user.email}!</p>
    </div>
  );
}

Custom Middleware

Next.js also allows you to create custom middleware for route protection.

Creating Middleware

Create a middleware.js file in the root of your project:

// middleware.js
import { NextResponse } from 'next/server';

export function middleware(req) {
  const token = req.cookies.get('auth_token');

  if (!token) {
    return NextResponse.redirect(new URL('/login', req.url));
  }

  return NextResponse.next();
}

export const config = {
  matcher: ['/protected/:path*'],
};

Applying Middleware

Ensure your next.config.js includes the middleware configuration:

// next.config.js
module.exports = {
  reactStrictMode: true,
};

Server-Side Rendering (SSR)

Protecting routes on the server side can add an extra layer of security.

Using getServerSideProps

Modify your page to fetch user data and check authentication status:

// app/protected/page.js
export async function getServerSideProps(context) {
  const token = context.req.cookies.auth_token;

  if (!token) {
    return {
      redirect: {
        destination: '/login',
        permanent: false,
      },
    };
  }

  // Fetch user data using the token

  return { props: {} };
}

export default function Protected() {
  return (
    <div>
      <h1>Protected Page</h1>
      <p>Welcome, User!</p>
    </div>
  );
}

Best Practices

  • Use HTTPS: Always use HTTPS to encrypt data in transit.
  • Secure Cookies: Use secure and HttpOnly flags for cookies storing authentication tokens.
  • Validate Tokens: Validate JWTs or other tokens on both the client and server sides.
  • Regularly Update Dependencies: Keep your dependencies up to date to protect against vulnerabilities.

Conclusion

Protecting routes is essential for maintaining the security of your Next.js application. By using authentication libraries, custom middleware, and server-side rendering techniques, you can effectively control access to sensitive pages and resources. Always follow best practices to ensure a secure application environment.


PreviousSession ManagementNext Deployment Strategies

Recommended Gear

Session ManagementDeployment Strategies