search

nuxt / content

The file-based CMS for your Nuxt application, powered by Markdown and Vue components.
https://content.nuxt.com
MIT License
3.07k stars 622 forks source link

Using the @nuxt/auth module #520

Open peterhijma opened 3 years ago

peterhijma commented 3 years ago

I could not find an answer to this question yet.

I'm using @nuxt/auth and have it set up globally in nuxt.config.js. If I'm not logged in, going to any page will redirect me to the login page. However, if I go to ../_content I can view all data. Is it possible to put this endpoint "behind bars"?

BTW: I'm using nuxt start and dev mode is turned off. Shouldn't the whole endpoint be invisible then? Bug?

Thanks in advance!

atinux commented 3 years ago

Hi @phijma

If I understand correctly, you want to protect some of the files inside content/ only if you are connected with @nuxt/auth?

Do do this, I think we can imagine a guard hook but it is tricky since @nuxt/auth is working inside the Nuxt application to give your $auth.loggedIn and not accessible inside the server middleware.

This is something we need to discuss with @pi0 and @benjamincanac for sure.

peterhijma commented 3 years ago

Thanks for the response @Atinux

I'll clarify my goals:

I protect my frontend using @nuxt/auth globally. This works very well, also in combination with @nuxt/content. The pages I created inside the folder pages, which display the contents are all protected properly.

But since a while you can go directly to some_domain/_content/ (https://content.nuxtjs.org/advanced#api-endpoint) to check some JSON.

It says there: This module exposes an API endpoint in development so you can easily see the JSON of each directory or file

But, I don't want to expose this endpoint in production to users, because that is kind of a leak of my content inside the content folder. As the docs talk about development, I think the fact that this endpoint is also visible in production could be a bug.

One workaround I found was by deleting this part in the source: https://github.com/nuxt/content/blob/0c6df8f2c159ff2feac102c5b6a4a5a3ac270c81/packages/content/lib/index.js#L143

Maybe the solution is just to put a condition around this part? (if env == "development", or something like that).

atinux commented 3 years ago

I am adding the pending label for this one.

I believe this could be added for the version 2 when using the API in production, because it is impossible to hide it for full static generation since the db.json will be exposed anyway.

oripka commented 11 months ago

Is this still pending?

I think it would also be beneficial to Nuxt Studio if developers could easily offer themes that can control access the Nuxt Content.

Related: https://github.com/nuxt/content/issues/1977 and https://github.com/nuxt/content/discussions/1532