What is the idiomatic way to implement auth protection?
The example showing the use of
Putting the protection in global middleware also problematic, because sending a post request for logging in requires publicly accessible endpoint. Since, calling a server function is an RPC call with automatically generated url, using it's url for checking endpoint feels like i'm using internal api. And I'm not talking about sending request for logging out or even passing context containing user data from global middleware.
I think this is very important. The documentation should give an idiomatic way of handling authorization protection.
beforeLoad, but that does not include server functions, right? Checking authorized only in beforeLoad will leave server functions publicly accessible.Putting the protection in global middleware also problematic, because sending a post request for logging in requires publicly accessible endpoint. Since, calling a server function is an RPC call with automatically generated url, using it's url for checking endpoint feels like i'm using internal api. And I'm not talking about sending request for logging out or even passing context containing user data from global middleware.
I think this is very important. The documentation should give an idiomatic way of handling authorization protection.
