Authentication in both component and middleware

After did some search I'm still confused how solid start handles the authentication. In some auth libraries, they are using middleware to protect api routes and actions but not components(middlewares do not get called when route changes). I looked at the auth example, it only applies a simple action, not a layout.
I simply created an auth middleware (from lucia example) and protected component, but I think the solution is not clear.

colinshenOP•4/15/24, 3:47 PM

middleware

protected component

Problems：

If session or user is null, middleware should return a redirect to login page, but redirect function or sendRedirect(from vinxi) cause too many redirect error. If the middleware logic is correct, how to redirect in middleware?

colinshenOP•4/15/24, 3:51 PM

In protected component, I can easily redirect in server functions. Doing it again in component with is definitely not necessary. Should I just return null in the function?

peerreynders•4/15/24, 4:12 PM

re-exports h3's (which vinxi wraps) which you can use in middleware.

Example

I don't see how is used in your code sample.

That said you have to let the request for (and any requests supporting that page) pass otherwise you will get into an infinite loop of redirects.

Response - h3

Utilities to send response headers and data

GitHub

solid-start-demo-login/src/middleware.ts at restart · peerreynders/...

SolidStart seed project with simple user management for demonstration projects. - peerreynders/solid-start-demo-login

Ppeerreynders `@solidjs/start/server` re-exports [h3's `sendRedirect`](https://h3.unjs.io/util...

colinshenOP•4/16/24, 3:18 AM

Thanks! I need to pass the login to make it work. Do you think middleware is enough for authentication, not using an auth component or context?

peerreynders•4/16/24, 12:30 PM

Your component code simply verifies that the middleware already performed the required authentication. So it really doesn't "authenticate" anything, it just ensures that it hasn't been reached via an unprotected route (i.e. one that was inadvertently left unprotected by the middleware); and it's still vulnerable if for example the authentication cookie survived for longer than it should.

So if there are "sensitive areas" OWASP recommends to force re-authentication even if the user is already logged in.

Authentication - OWASP Cheat Sheet Series

Website with the collection of all the cheat sheets of the project.