using better-auth to protect the entire route
I have implemented better-auth for tanstack start (https://www.better-auth.com/docs/integrations/tanstack) and I want to protect all pages in the route, how can I do that?
WI do this in an _auth.tsx file in the beforeload function
in my _root.tsx:
where fetchsession:
in my _root.tsx:
where fetchsession:
Wyou can probably use the better auth client instead to return the session
authClient.getSession()
LYou can also cache it with tanstack query
O@bxr getSession with Auth client always returns null, even when cookie is set , not sure why
ODo you have an example of this? I recently started using tanstack start
LSomething like this (mind you I have never used better auth)
LGitHub
minimal TanStack Start template with React 19, Better Auth, Drizzle ORM, shadcn/ui - dotnize/react-tanstarter
LAll credit of course to dotnize
SI would like to say that I was facing this problem, didn't find support in better-auth discord, then found this thread and it helped me out. But I did my thing based on the examples you guys posted and dotnize's repo.
I believe my approach is clean enough for people who are just meeting tan start and better auth (my case):
I created a
Then in my auth route I was able to
This problem took me a few hours because as a beginner in fullstack react frameworks I didn't knew what could be used in the file route class and what should be a server function. I specifically tried to retrieve request data (for it's headers) in my _auth route for about an hour, didn't find it in docs, tried to play around with imports, tried to log every argument available in beforeLoad method and in createFileRoute. Only yesterday I saw the
I believe my approach is clean enough for people who are just meeting tan start and better auth (my case):
I created a
src/lib/authfunctions.ts file similar to dotnize's auth/functions.ts file: Then in my auth route I was able to
import { $getUser } from '@/lib/authfunctions' and grab user data in beforeLoad method using const user = await $getUser(). This problem took me a few hours because as a beginner in fullstack react frameworks I didn't knew what could be used in the file route class and what should be a server function. I specifically tried to retrieve request data (for it's headers) in my _auth route for about an hour, didn't find it in docs, tried to play around with imports, tried to log every argument available in beforeLoad method and in createFileRoute. Only yesterday I saw the
getRequest method in this thread and thought oh I just found you, you sneaky request object.DIf you're using authClient.useSession anywhere in the app, or Better Auth UI (which uses it under the hood), I would suggest to use an isomorphic function & authClient.getSession from the client, so it correctly updates useSession to use the latest session that is fetched on navigation
DAnother thing you might want to consider if you are using authClient.useSession is that this will result in multiple server requests just to authenticate the route. If you're not using authClient.useSession, this approach is probably fine, or if you don't care about double fetching the session
DFor example, in my header I am using authClient.useSession to render a UserButton. This means that every page that has header will send a GET request to /api/get-session already. If I want to protect an SSR route at the "middleware" level, I simply check for cookie presence - not an actual getSession check. Then I protect the content on the client by checking if data is not null from authClient.useSession (<SignedIn> component does this from Better Auth UI)
DAnother consideration is Cloudflare, if you're serving tons of requests you can save $$ by using prerendered routes, which means you won't be able to do SSR middleware on those routes, so client-side auth checks will be needed via useSession. Or even better, you can use Cloudflare "redirect rules" that just check for the cookie presence and perform the redirect before the route even loads
Tthe docs of better-auth state that it's recommended to use 'authClient' instead of 'server' functions, but I don't think that approach works for isomorphic beforeLoad functions as the session is always null on the server. Is there a way to conditionally run logic based on if it runs on the server or client in tanstack?
Tcan you give a code example of this?
Tan example showing how you can check the session/cookie both client and server side in tanstack
Tfor now, I am using this workaround:
PYou can check here => https://github.com/AmanVarshney01/create-better-t-stack/blob/main/apps/cli/templates/auth/better-auth/web/react/tanstack-start/src/routes/dashboard.tsx.hbs
Create a new project and select betanstack and better-auth => https://www.better-t-stack.dev/
Create a new project and select betanstack and better-auth => https://www.better-t-stack.dev/
GitHub
A modern CLI tool for scaffolding end-to-end type-safe TypeScript projects with best practices and customizable configurations - AmanVarshney01/create-better-t-stack
Better-T-Stack
A modern CLI tool for scaffolding end-to-end type-safe TypeScript projects with best practices and customizable configurations
Wcan you show how you check cookie presence? What if the cookie is expired?
WI ended up creating an isomorphic fn
DThat's totally fine if you don't want to use cookie cache
DI mostly use client side for my projects, way simpler
DAlso lets me use static rendering for all my pages (totally free on Cloudflare)
DThis is how you get the cookie. My setup is session cookie check only when I want to prevent a route from even rendering at all, and then it falls back to client checks on authClient.useSession()
I show skeletons during isPending
DTBH the dream is to check the cookie on Cloudflare's domain rules system and have it redirect the user to sign in directly at the DNS step
DThen the dashboard page is totally static, and does conditional rendering based on authClient.useSession
DYou could literally just define a rule on cloudflare, when they go to /dashboard, and they are missing the better auth cookie, redirect to /auth/sign-in.
Then all the pages use Vite prerendering and serve from cdn, no worker cpu for the entire site, only for auth API requests. Unlimited free requests and egress for serving the site
Then all the pages use Vite prerendering and serve from cdn, no worker cpu for the entire site, only for auth API requests. Unlimited free requests and egress for serving the site
Wah that's pretty smart
BThis is a template of mine that showcases how to integrate better-auth and resend in tanstack start.
I am constantly updating the packages to their latest versions, and try to use the best practices as much as I could.
https://github.com/aliallaoua/better-auth
I am constantly updating the packages to their latest versions, and try to use the best practices as much as I could.
https://github.com/aliallaoua/better-auth
GitHub
A production-ready authentication starter built with TanStack Start, leveraging best practices and the latest versions of key dependencies. - aliallaoua/better-auth
Wnice, i'll take a look. Do you ever run into issues with
I was looking into it and found:
tried to stream query ["some_key"] after stream was already closed since you are using tanstack query in ssr? I have it all the time, which made me move away from tanstack query in beforeLoadI was looking into it and found:
A query (e.g., via prefetchQuery or ensureQueryData in beforeLoad/loader) starts streaming data to the client during prefetch. A mid-stream redirect (e.g., auth guard) aborts/closes the stream prematurely. Client hydration then attempts to resume/access the orphaned query state, triggering the error