Allow /api routes to be private to the client app #16441
-
In docs we read :
and yet if i create POST route for /api/post-route it will be available publicly, so for example i can use tool like https://reqbin.com/ to make a request to the website and next server will pass my request further. I saw example of using CORS but it is not useful - does not work when applying
Thanks for help.
|
Beta Was this translation helpful? Give feedback.
Replies: 9 comments 8 replies
-
I'm having the exact same problem! |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
I would be interested in a solution to this. The way that I have done it currently is to store an HttpOnly cookie on initial load, then validate any further API request against the cookie. I have also encrypted the cookie to ensure it was set by the app. |
Beta Was this translation helpful? Give feedback.
-
This would be quite a useful feature |
Beta Was this translation helpful? Give feedback.
-
Is there any solution yet? Im facing the exact same problem. I want to restrict my api to the next.js application only and 2 more domains which are able to receive the data from the endpoints. For this I want to save the allowed domains as username with a generated token in my database. This would look like this: username l token Then if somebody is requesting the endpoint, Im checking if the user and token is allowed. Now for Domain1 and Domain2 I can just give them the username and token and on my api endpoint I can check if its true in the database. But how to do that with my own application? Since Im not able to use username or password in my application, because its printed to the public then. I could use env variables which I can read on the api endpoint, but how can I make sure that the request is coming from my own application? Like youre already saying, with Postman and other requesting tools you can call the api from everywhere. In my approach I could restrict it in that wy perfectly fine, we would just need a smart idea to detect the application itself. Any ideas? (Prefered with code if you like to, Im quite new to this topic and I cant find many useful stuff on the web) |
Beta Was this translation helpful? Give feedback.
-
I'm also interested in seeing a solution to this. Either using cookies or some kind of public private key solution. Is there a library out there that can help? |
Beta Was this translation helpful? Give feedback.
-
any updates on this? |
Beta Was this translation helpful? Give feedback.
-
It looks like @leerob implemented something like this in the on-demand ISR demo in the |
Beta Was this translation helpful? Give feedback.
It looks like @leerob implemented something like this in the on-demand ISR demo in the
pages/api/webhook.js
file, check it out here: https://github.com/leerob/on-demand-isr/blob/main/pages/api/webhook.js