-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use route-level config to set allowedRoles
#134
Comments
That sounds like a great solution! Here are some thoughts:
That's what I've got so far. |
Thanks for the feedback!
Not sure I follow the case this is talking about, but if the user sets
Hm, interesting thought. I'm not aware of any data structure, and such a data structure wouldn't be complete since links can be dynamic. Even if there was, an attacker could theoretically still access the content by inspecting the bundle. It might be best to warn (or error?) if we detect a prerendered page with Re: the proposed API for
The slug versions are kinda hard for me to parse, might need to think a bit more on what a good API there would be. It does seem like a rather niche usecase too, so maybe it doesn't need to be solved immediately as long as we can introduce it without a breaking change. |
Related: #65, #60, #66, #102
The problem: Azure SWA allows you to secure routes via setting
allowedRoles
in the routes config. However, it is not easy to take advantage of this feature with this SvelteKit adapter.The proposal: use SvelteKit's route-level config to associate allowedRoles with a route. This could be extended for other route-level configuration in the future, if needed.
For example, if you have a route at
/secured
, you could setallowedRoles
in the corresponding+page.js
or+page.server.js
file like so:The adapter would use this information to write the following route rule:
You could also export
config
from a+layout.js
, and the adapter would write aroute
with an allowed role for each route under that layout.This solves the aforementioned issues:
config
from a root-level+layout.js
.rewrite
yourself, and renaming your route folders in SvelteKit will automatically update the config (routes and config stay in sync)It also has several more benefits
__data.json
routes as well, which are generated by SvelteKit to fetch dataPassing
routes
to the adapter would still be supported as it is today. Those routes would appear before any routes generated by the adapter, so to have priority.Technical breakdown
During the adapter step, SvelteKit provides a
routes
object representing all the routes in the app and the config associated with those routes. For example:The types for RouteDefinition are in the SvelteKit repo
We can convert the
pattern
regex into theroute
property needed by the SWA config. (We can't useroute.id
since it could include layout groups or optional parameters). Then, for each route, write a rule with the route pattern and the specifiedallowedRoles
. We may also want to write a rule for the__data.json
endpoint associated with the route.One sticking point is the relative inflexibility of Azure SWA route pattern. The wildcard can only appear at the end of the route pattern, so it wouldn't be possible to protect
/blog/[slug]/edit
but not/blog/[slug]
- they would both be represented by the/blog/*
pattern. We would need to detect this conflict at build time and throw an error.Also, because route config applies to an entire route folder, you couldn't protect an individual slug with this method - either you protect the entire
/blog/[slug]
route, or none of it. You could get around this by passing custom routes to the adapter, but then you would have to handle therewrite
property yourself.We also may want to warn/error if a user-supplied route does not set
allowedRoles
, since that will override the route generated by the adapter.Limitations
There are some limitations:
allowedRoles
.Potential future enhancements
I wouldn't include these in the initial release of this feature, but here are some potential improvements:
/blog/[slug]
example above). One idea: if you pass a route handled by the SvelteKit app (determined using thepattern
property in the adapter) but don't rewrite or redirect it, automatically add the rewrite ruleAny questions?
Would love to hear feedback about this approach? Is this workable? Is there anything I missed?
The text was updated successfully, but these errors were encountered: