The Problem with Using Layouts for Auth

I don't know about you all, but I'm a for protecting large groups of routes in the handle Hook.

Huntabyte

Thanks for bringing exposure to this! Since the layout call is cached on continuous redirections it shouldn’t actually be used for auth, but hooks should be, since they’re running on every request as middleware. Still it seems like an easy mistake to be made, so people should definitely be mindful of this case 👏

boian-inavov

Wow, I really learned a lot from your tutorials about Sveltekit, this is the best and the most valuable learning resources for people who want to quickly dive in Sveltekit application development, I have actually got stuck in authentication for quiet a while because I have no idea how hooks, locals, etc. work and what do they do until your tutorials come out and it save my day, thank you so much 🙏🙏🙏

maskman

This is high quality stuff, the kind of errors most people would make and gloss over. Hoping now that sveltekit 1.0 is out, it starts to get some serious industry traction.

richardfeynman-sdrg

Wow this was awesome! Thank you so much for this! Hopefully you'll do more security / structuring videos!

I'll try to support you financially next year because these vids are so valuable for me! Keep it up

RedBlade

The problem is that you shouldnt be running these checks on the client anyway.

whatever

Dude gonna watch this as soon I am at home

codewithguillaume

I was making this mistake and being confused by why it wasn't working as I expected. Thanks!!

adamshand

Supabase's SvelteKit starter guide is a security disaster

_phenomen

Thanks Hunter - letting you know the github links are broken, but you can find them in all Repositories...

DavePerth

I was using login check wrongly in layout, thanks for explaining

SumanthChinthagunta

Thank you so much, I was doing exactly the example of the beginning

hknsegw

This video appeared in my recommended loads of times over the past year and I never clicked it, I only remembered now it because I just found out our site has this problem lel

lwinklly

it's not necessary to make another request just to validate a user, it works but for latency reasons it's easier to work with JWT in an http only cookie as they can be a tool to quickly validate the request as authentic without an extra network request to do the same work

samifouad

1 year later, for some reason cloning the exact same repo#main does not seem to show the behavior. It always runs "Run Layout Auth Check" for the same scenario. Any idea why? Curious as it is running the same sveltekit version (1.0.0)

jangxyz

The real problem here is that the database call isn't passing the auth token along before it pulls data so that the backend ensures your authenticated and have access to the data. That's the real issue, in fact even with the fixes you did, someone could still spoof and call that call to get customers and still get them. Fix that, and everything you showed here is fixed, and then yes you can do the rest of the stuff. But all backend calls for any sensitive data that should be scoped to a role, should pass that data along.

otockian

Thanks for another great tutorial. Could you please create a video for firebase and sveltekit authentication?

sourabh

Great insight, totally didn't consider this.

MikeHTMLAllTheThings

The main issue here is the server returning data without making any security checks, that's the main issue to be addressed. The server should never return non-public data without checking for a valid token or session.

Get that done and all this client side validation becomes purely a UX improvement, as it should be, because you can't force attackers to go through your client side code before making requests to your server.

ricardoamendoeira

What if you copy +layout.server.ts, create +layout.ts and paste the same logic there? Wouldnt that solve the issue?

IBakeCookies