This doesn't seem to prevent protected load functions running by client-side router preloading

[Evertt]

I've copied the basic strategy from this repo into my project, while updating it to the most recent version of sveltekit.

And, I must be doing something wrong, because it works for the most part, except that the client-side router may still execute the load function of a protected route when it's preloading that protected route as a response to the user hovering over a link that points towards the protected route.

So I still get a console log in my browser that basically says "fetching sensitive data". It seems like in that scenario, the hook on the server is not being invoked.

Do you have any tips for that? Or do I just have to disable preloading?

[harunzafer]

@Evertt I've created a sveltekit-2 project from scratch and migrated the project and tried to reproduce the problem you've explained. As far as I can see it works as expected. Can specify which route's load function is running? I don't see any log in the repo saying fetching sensitive data. Have you added that log yourself? Also, are you sure you're trying this on the right branch? Which is the final-code branch.

[fabianschwab]

Hi @harunzafer I have realized, also in my project and also in a lot of other ones, that this approach does not work correctly. The simplest why to show this is when you add a link in the top menu directly linking to /protected/item and than you can access it without being logged in. The way to correct this is to add a +page.server.ts to each subdirectory of the protected paths. In this case in /protected/item. I see the risk here that once you forgot to add this file and you link to that such a page not logged in users can see the content. Is there away around this? Because the official docs tell the same that everything is protected under the "protected" route. What is not true when client side navigation is involved (Because the hooks are not triggered).

Premise is that it only contains a +page.svelte file because all others including something with the server like +server.ts are triggering the hooks on the server.