Protecting Routes

Secure your application using JopiJS's declarative security system. Learn how to lock folders and specific actions without code.

Security in JopiJS is visual. You secure a folder by simply creating an empty file inside it. No complex middleware or configuration required.

Prerequisites:

1. Creating the Admin Module

In JopiJS, security rules are defined within your modules. Let's create a dedicated module for our protected area.

We want to create a /dashboard area accessible only to users with the admin role.

Inside src/mod_admin/@routes, create a folder named dashboard. Add a simple page.tsx file:

export default function AdminDashboard() {
    return <h1 className="p-10 text-2xl">Welcome to the Secure Dashboard</h1>;
}

Inside the dashboard folder, create a new empty file named: needRole_admin.cond

Open http://localhost:3000/dashboard.
JopiJS will detect the .cond file and block access because you are not logged in as an admin.
You will see a 401 Unauthorized error.

Sometimes you want a page to be public, but restrict certain actions (like posting a message).

Let's create a /contact route in mod_admin/@routes/.

Inside the contact folder, create this empty file: postNeedRole_validated.cond

Now:

GET /contact (Viewing the page) -> Allowed for everyone.
POST /contact (Submitting the form) -> Blocked unless the user has the validated role.

File Prefix	Scope
`needRole_`	Everything (Folder + all subfolders)
`pageNeedRole_`	Page Only (`page.tsx`)
`postNeedRole_`	POST API Only (`onPOST.ts`)
`getNeedRole_`	GET API Only

Important Concepts:

Inheritance: If you protect a folder, every file and sub-folder inside it is automatically protected.
Logical OR: If you place needRole_admin.cond AND needRole_editor.cond in the same folder, users can access it if they are an Admin OR an Editor.