Some checks failed
Test examples / Test Examples (20) (push) Has been cancelled
Test examples / Test Examples (22) (push) Has been cancelled
Lock Threads / action (push) Has been cancelled
Trigger Release / start (push) Has been cancelled
Stale issue handler / stale (push) Has been cancelled
Update Font Data / create-pull-request (push) Has been cancelled
build-and-deploy / deploy-target (push) Has been cancelled
build-and-deploy / build (push) Has been cancelled
build-and-deploy / stable - aarch64-unknown-linux-musl - node@16 (push) Has been cancelled
build-and-deploy / stable - x86_64-unknown-linux-musl - node@16 (push) Has been cancelled
build-and-deploy / stable - aarch64-unknown-linux-gnu - node@16 (push) Has been cancelled
build-and-deploy / stable - x86_64-unknown-linux-gnu - node@16 (push) Has been cancelled
build-and-deploy / stable - aarch64-pc-windows-msvc - node@16 (push) Has been cancelled
build-and-deploy / stable - x86_64-pc-windows-msvc - node@16 (push) Has been cancelled
build-and-deploy / stable - aarch64-apple-darwin - node@16 (push) Has been cancelled
build-and-deploy / stable - x86_64-apple-darwin - node@16 (push) Has been cancelled
build-and-deploy / build-wasm (nodejs) (push) Has been cancelled
build-and-deploy / build-wasm (web) (push) Has been cancelled
build-and-deploy / Deploy preview tarball (push) Has been cancelled
build-and-deploy / Potentially publish release (push) Has been cancelled
build-and-deploy / publish-turbopack-npm-packages (push) Has been cancelled
build-and-deploy / Deploy examples (push) Has been cancelled
build-and-deploy / thank you, build (push) Has been cancelled
build-and-deploy / Upload Turbopack Bytesize metrics to Datadog (push) Has been cancelled
Rspack Next.js development integration tests / Rspack integration tests (push) Has been cancelled
Rspack Next.js production integration tests / Rspack integration tests (push) Has been cancelled
Turbopack Next.js development integration tests / Next.js integration tests (push) Has been cancelled
Turbopack Next.js production integration tests / Next.js integration tests (push) Has been cancelled
Update Rspack test manifest / Update and upload Rspack development test manifest (push) Has been cancelled
Update Rspack test manifest / Update and upload Rspack production test manifest (push) Has been cancelled
Upload bundler test manifests to areweturboyet.com / Upload test results (push) Has been cancelled
Update React / create-pull-request (push) Has been cancelled
test-e2e-project-reset-cron / reset-test-project (push) Has been cancelled
Notify about the top 15 issues/PRs/feature requests (most reacted) in the last 90 days / run (push) Has been cancelled
173 lines
4.4 KiB
Plaintext
173 lines
4.4 KiB
Plaintext
---
|
|
title: forbidden
|
|
description: API Reference for the forbidden function.
|
|
version: experimental
|
|
related:
|
|
links:
|
|
- app/api-reference/file-conventions/forbidden
|
|
---
|
|
|
|
The `forbidden` function throws an error that renders a Next.js 403 error page. It's useful for handling authorization errors in your application. You can customize the UI using the [`forbidden.js` file](/docs/app/api-reference/file-conventions/forbidden).
|
|
|
|
To start using `forbidden`, enable the experimental [`authInterrupts`](/docs/app/api-reference/config/next-config-js/authInterrupts) configuration option in your `next.config.js` file:
|
|
|
|
```ts filename="next.config.ts" switcher
|
|
import type { NextConfig } from 'next'
|
|
|
|
const nextConfig: NextConfig = {
|
|
experimental: {
|
|
authInterrupts: true,
|
|
},
|
|
}
|
|
|
|
export default nextConfig
|
|
```
|
|
|
|
```js filename="next.config.js" switcher
|
|
module.exports = {
|
|
experimental: {
|
|
authInterrupts: true,
|
|
},
|
|
}
|
|
```
|
|
|
|
`forbidden` can be invoked in [Server Components](/docs/app/getting-started/server-and-client-components), [Server Functions](/docs/app/getting-started/mutating-data), and [Route Handlers](/docs/app/api-reference/file-conventions/route).
|
|
|
|
```tsx filename="app/auth/page.tsx" switcher
|
|
import { verifySession } from '@/app/lib/dal'
|
|
import { forbidden } from 'next/navigation'
|
|
|
|
export default async function AdminPage() {
|
|
const session = await verifySession()
|
|
|
|
// Check if the user has the 'admin' role
|
|
if (session.role !== 'admin') {
|
|
forbidden()
|
|
}
|
|
|
|
// Render the admin page for authorized users
|
|
return <></>
|
|
}
|
|
```
|
|
|
|
```jsx filename="app/auth/page.js" switcher
|
|
import { verifySession } from '@/app/lib/dal'
|
|
import { forbidden } from 'next/navigation'
|
|
|
|
export default async function AdminPage() {
|
|
const session = await verifySession()
|
|
|
|
// Check if the user has the 'admin' role
|
|
if (session.role !== 'admin') {
|
|
forbidden()
|
|
}
|
|
|
|
// Render the admin page for authorized users
|
|
return <></>
|
|
}
|
|
```
|
|
|
|
## Good to know
|
|
|
|
- The `forbidden` function cannot be called in the [root layout](/docs/app/api-reference/file-conventions/layout#root-layout).
|
|
|
|
## Examples
|
|
|
|
### Role-based route protection
|
|
|
|
You can use `forbidden` to restrict access to certain routes based on user roles. This ensures that users who are authenticated but lack the required permissions cannot access the route.
|
|
|
|
```tsx filename="app/admin/page.tsx" switcher
|
|
import { verifySession } from '@/app/lib/dal'
|
|
import { forbidden } from 'next/navigation'
|
|
|
|
export default async function AdminPage() {
|
|
const session = await verifySession()
|
|
|
|
// Check if the user has the 'admin' role
|
|
if (session.role !== 'admin') {
|
|
forbidden()
|
|
}
|
|
|
|
// Render the admin page for authorized users
|
|
return (
|
|
<main>
|
|
<h1>Admin Dashboard</h1>
|
|
<p>Welcome, {session.user.name}!</p>
|
|
</main>
|
|
)
|
|
}
|
|
```
|
|
|
|
```jsx filename="app/admin/page.js" switcher
|
|
import { verifySession } from '@/app/lib/dal'
|
|
import { forbidden } from 'next/navigation'
|
|
|
|
export default async function AdminPage() {
|
|
const session = await verifySession()
|
|
|
|
// Check if the user has the 'admin' role
|
|
if (session.role !== 'admin') {
|
|
forbidden()
|
|
}
|
|
|
|
// Render the admin page for authorized users
|
|
return (
|
|
<main>
|
|
<h1>Admin Dashboard</h1>
|
|
<p>Welcome, {session.user.name}!</p>
|
|
</main>
|
|
)
|
|
}
|
|
```
|
|
|
|
### Mutations with Server Actions
|
|
|
|
When implementing mutations in Server Actions, you can use `forbidden` to only allow users with a specific role to update sensitive data.
|
|
|
|
```ts filename="app/actions/update-role.ts" switcher
|
|
'use server'
|
|
|
|
import { verifySession } from '@/app/lib/dal'
|
|
import { forbidden } from 'next/navigation'
|
|
import db from '@/app/lib/db'
|
|
|
|
export async function updateRole(formData: FormData) {
|
|
const session = await verifySession()
|
|
|
|
// Ensure only admins can update roles
|
|
if (session.role !== 'admin') {
|
|
forbidden()
|
|
}
|
|
|
|
// Perform the role update for authorized users
|
|
// ...
|
|
}
|
|
```
|
|
|
|
```js filename="app/actions/update-role.js" switcher
|
|
'use server'
|
|
|
|
import { verifySession } from '@/app/lib/dal'
|
|
import { forbidden } from 'next/navigation'
|
|
import db from '@/app/lib/db'
|
|
|
|
export async function updateRole(formData) {
|
|
const session = await verifySession()
|
|
|
|
// Ensure only admins can update roles
|
|
if (session.role !== 'admin') {
|
|
forbidden()
|
|
}
|
|
|
|
// Perform the role update for authorized users
|
|
// ...
|
|
}
|
|
```
|
|
|
|
## Version History
|
|
|
|
| Version | Changes |
|
|
| --------- | ----------------------- |
|
|
| `v15.1.0` | `forbidden` introduced. |
|