I don't know about you all, but I'm a for protecting large groups of routes in the handle Hook.

This is high quality stuff, the kind of errors most people would make and gloss over. Hoping now that sveltekit 1.0 is out, it starts to get some serious industry traction.

Wow, I really learned a lot from your tutorials about Sveltekit, this is the best and the most valuable learning resources for people who want to quickly dive in Sveltekit application development, I have actually got stuck in authentication for quiet a while because I have no idea how hooks, locals, etc. work and what do they do until your tutorials come out and it save my day, thank you so much 🙏🙏🙏

Thanks for bringing exposure to this! Since the layout call is cached on continuous redirections it shouldn’t actually be used for auth, but hooks should be, since they’re running on every request as middleware. Still it seems like an easy mistake to be made, so people should definitely be mindful of this case 👏

Wow this was awesome! Thank you so much for this! Hopefully you'll do more security / structuring videos! I'll try to support you financially next year because these vids are so valuable for me! Keep it up

I was making this mistake and being confused by why it wasn't working as I expected. Thanks!!

Dude gonna watch this as soon I am at home

Thank you so much, I was doing exactly the example of the beginning

MAN, IDK HOW TO THANK YOU ENOUGH

Thanks for covering this in a video

Supabase's SvelteKit starter guide is a security disaster

This video appeared in my recommended loads of times over the past year and I never clicked it, I only remembered now it because I just found out our site has this problem lel

I was using login check wrongly in layout , thanks for explaining

Thanks Hunter - letting you know the github links are broken, but you can find them in all Repositories...

it's not necessary to make another request just to validate a user, it works but for latency reasons it's easier to work with JWT in an http only cookie as they can be a tool to quickly validate the request as authentic without an extra network request to do the same work

Great insight, totally didn't consider this.

The problem is that you shouldnt be running these checks on the client anyway.

1 year later, for some reason cloning the exact same repo#main does not seem to show the behavior. It always runs "Run Layout Auth Check" for the same scenario. Any idea why? Curious as it is running the same sveltekit version (1.0.0)

do you think this happens for react router too?

Does this apply to server.js API routes?

Dang. Didn’t knew this. Thank you!

Thanks for another great tutorial. Could you please create a video for firebase and sveltekit authentication?

did you look at the svelte auth package the vercel guys put out? does that solve things

Trying to have the check in root layout.server.js but this causes infinite loop redirect for me 😞 It seems there is no way in SvelteKit to solve this.

If you're doing resource access/manipulation without any user checks and it lives close to the client(not a vpc) you're already introducing a lot of security issues into your app. Always make sure the user has permission, for example, what happens if the organization downgrades their access, the idea of a wildcard param thats actually queryable so close to the client will introduce security issues, be it sveltekit, or any framework. Because your basically saying, I'm trusting this small niche feature of a new webapp to always perform as expected through each update

The main issue here is the server returning data without making any security checks, that's the main issue to be addressed. The server should never return non-public data without checking for a valid token or session. Get that done and all this client side validation becomes purely a UX improvement, as it should be, because you can't force attackers to go through your client side code before making requests to your server.

nice vid, what about throwing errors from hooks.server? Are we able to display +error.svelte page?

What if you copy +layout.server.ts, create +layout.ts and paste the same logic there? Wouldnt that solve the issue?

I authenticate and authorize every request using `event.locals` - so even if an user somehow navigates to admin routes, they won't see any data. From my POV authorizing users in `layout.server.ts` in more of an accessibility feature to deny navigating somewhere in the first place.

I thought about this as well. Then I thought: What would happen if I somehow disable/intercept redirects in my browser? Is the redirect the only thing protecting the route? Has anyone info about that?

Cool! One odd/wrong question. How would you "protect" some roots in a static page? I know it's impossible to run auth on a CDN or make code not accesible if you know the url but... Knowing the code will be shown, what would you do to make harder the discoverability of new routes. Before anyone ask, yep, I know it's worthless, just wondering.

The real problem here is that the database call isn't passing the auth token along before it pulls data so that the backend ensures your authenticated and have access to the data. That's the real issue, in fact even with the fixes you did, someone could still spoof and call that call to get customers and still get them. Fix that, and everything you showed here is fixed, and then yes you can do the rest of the stuff. But all backend calls for any sensitive data that should be scoped to a role, should pass that data along.

TLDR Protected requests happens anyway when using Layout... edit: unless using await parent() where parent layout checks auth or you could use handle hook

What browser are you using there?

Sir, can you make a tutorial on Sveltekit + Mongodb CRUD/Auth and page/server route protection, I got reading mongodb data working, but I cant find answers about how to create models and perform Create/Update/Delete operations, hopefully you can help people who want to migrate MERN app into Sveltekit 🙏

High value as always!!

Thanks for this video, was making this mistake

Looking this video end of 2024. Seems like the issue is fixed already. without await parent() load function doesn't proceed

Doesn't this assume that the API is insecure in the first place? I should never be able to access sensitive info without providing my JWT (or whatever mechanism you use). In your example, I could access all your data either way because you API exposes it.

Surreldb with sveltekit tutorial..

I'm in this video, and I don't like it :D

great video

Hahahaha nice :)

SvelteKit route system is absolutely trashed at this moment. here is critical need one file route system with support of custom route guard\middlewares like it implemented in Laravel or Ember as example.

Thank you very much for this video and explanation of this issue. Do you think the official Supabase GitHub documentation and examples for SvelteKit auth-helpers supabase/auth-helpers/tree/main/packages/sveltekit is incorrect as well?