1 reply

How can I securely protect my Next.js /admin page login system?

I’m building an /admin page where admins can manage orders and products for an e-commerce site.

Right now, I’ve set up a simple API route at

/api/admin/login

/api/admin/login

that checks the username and password from environment variables, and sets a cookie for access:

import { NextRequest, NextResponse } from "next/server";

export async function POST(request: NextRequest) {
  const { username, password } = await request.json();
  if (
    username === process.env.ADMIN_USER &&
    password === process.env.ADMIN_PASS
  ) {
    const res = NextResponse.json({ success: true });
    res.cookies.set("admin-auth", "true", {
      httpOnly: true,
      secure: process.env.NODE_ENV === "production",
      sameSite: "strict",
      maxAge: 2 * 24 * 60 * 60, // 2 days
    });
    return res;
  }
  return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}

import { NextRequest, NextResponse } from "next/server";

export async function POST(request: NextRequest) {
  const { username, password } = await request.json();
  if (
    username === process.env.ADMIN_USER &&
    password === process.env.ADMIN_PASS
  ) {
    const res = NextResponse.json({ success: true });
    res.cookies.set("admin-auth", "true", {
      httpOnly: true,
      secure: process.env.NODE_ENV === "production",
      sameSite: "strict",
      maxAge: 2 * 24 * 60 * 60, // 2 days
    });
    return res;
  }
  return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}

However, I realized that anyone could just run:

document.cookie = "admin-auth=true";

document.cookie = "admin-auth=true";

and gain access to the admin page without logging in.

What’s the proper way to make this secure, so that users can’t simply forge the cookie or bypass authentication?

How can I securely protect my Next.js /admin page login system?

I’m building an /admin page where admins can manage orders and products for an e-commerce site.

Right now, I’ve set up a simple API route at

/api/admin/login

/api/admin/login

that checks the username and password from environment variables, and sets a cookie for access:

import { NextRequest, NextResponse } from "next/server";

export async function POST(request: NextRequest) {
  const { username, password } = await request.json();
  if (
    username === process.env.ADMIN_USER &&
    password === process.env.ADMIN_PASS
  ) {
    const res = NextResponse.json({ success: true });
    res.cookies.set("admin-auth", "true", {
      httpOnly: true,
      secure: process.env.NODE_ENV === "production",
      sameSite: "strict",
      maxAge: 2 * 24 * 60 * 60, // 2 days
    });
    return res;
  }
  return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}

import { NextRequest, NextResponse } from "next/server";

export async function POST(request: NextRequest) {
  const { username, password } = await request.json();
  if (
    username === process.env.ADMIN_USER &&
    password === process.env.ADMIN_PASS
  ) {
    const res = NextResponse.json({ success: true });
    res.cookies.set("admin-auth", "true", {
      httpOnly: true,
      secure: process.env.NODE_ENV === "production",
      sameSite: "strict",
      maxAge: 2 * 24 * 60 * 60, // 2 days
    });
    return res;
  }
  return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}

However, I realized that anyone could just run:

document.cookie = "admin-auth=true";

document.cookie = "admin-auth=true";

and gain access to the admin page without logging in.

What’s the proper way to make this secure, so that users can’t simply forge the cookie or bypass authentication?

How can I securely protect my Next.js /admin page login system?

Similar Threads

How can I securely protect my Next.js /admin page login system?

Similar Threads

Similar Threads

Similar Threads