Access Control for Statically Generated Pages?

[julianklotz]

Dear next.js community,

I’m currently evaluating Next.js for a project and there’s a tricky requirement that I’m trying to tackle.

Let’s say there are 1000 pages which can all be generated statically (i.e. the pages always look the same).
100 of them shall only be a available to a small group of people. These people have an user account in my backend application.

Before serving the (statically generated) pages, I need to check both publication status of the pages and user permissions.
If possible, don’t want to use server-side rendering for this case, but static generation.

Here’s what came to my mind:

• Using Preview Mode for all logged-in users and fetching data on request (or returning a 403 status)
• Using X-Accel or X-Sendfile: Serve the pages from a web server’s private location and performing access control before allowing users to view the private location
• (Creating several build of my page, including different files)

Do you have any recommendations for implementing the intended behavior?

Thanks for your advice!

[julianklotz]

Any ideas here?

[lfades]

Static generation cannot have runtime requirements, pages will be generated at build time to static files that ignore user's permissions and other filters that may be required when you request the page. However, you could try adding an API endpoint on top of the route and redirect an user if he cannot enter the page (but that means you'll have to run a serverless function for every request to make the check). If your pages aren't known you could try something more simple and only show navigations to the pages that an user can see.

[julianklotz]

However, you could try adding an API endpoint on top of the route and redirect an user if he cannot enter the page (but that means you'll have to run a serverless function for every request to make the check).

Thanks! I’ll give it a try.

[abbott]

Thanks! I’ll give it a try.

Keep in mind any static pages (private route or not) will be available in your bundle which is accessible via browser, so if there is content you would like to serve to users with the appropriate permissions then you would need to do it dynamically or use SSR