Password protect your Next.js projects with IP whitelisting functionality.
Installations
npm install next-password-protect-ipDeveloper Guide
Typescript
Yes
Module System
CommonJS
Node Version
14.20.1
NPM Version
9.1.1
Releases
Unable to fetch releases
Contributors
Unable to fetch Contributors
Languages
TypeScript (81.65%)
JavaScript (15.38%)
CSS (2.88%)
Shell (0.09%)
Developer
Download Statistics
Total Downloads
1,264
Last Day
1
Last Week
19
Last Month
33
Last Year
193
GitHub Statistics
125 Commits
1 Branches
Bundle Size
52.68 kB
Minified
16.11 kB
Minified + Gzipped
Maintainers
Package Meta Information
Latest Version
1.5.0
Package Id
next-password-protect-ip@1.5.0
Unpacked Size
640.23 kB
Size
141.79 kB
File Count
323
NPM Version
9.1.1
Node Version
14.20.1
Publised On
20 Apr 2023
Total Downloads
Cumulative downloads
Total Downloads
1,264
Last day
0%
1
Compared to previous day
Last week
1,800%
19
Compared to previous week
Last month
94.1%
33
Compared to previous month
Last year
-82%
193
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
4
Dev Dependencies
77
next-password-protect
Password protect your Next.js deployments. View demo (Password is secret)
How it works
This library adds a password prompt to your Next.js deployment. It consists of two main parts:
- Two serverless API routes:
- A login route that checks if a password is correct and sets a cookie with a JWT in case it is.
- A check route that validates if you have the authorization cookie with a valid JWT.
- A HOC (Higher-Order Component) that wraps Next.js App and adds a check that validates if you are logged in. If you do, then you can view the app normally; otherwise, you are presented with a password prompt.
Important: The recommended use case for this library is in a staging or preview environment. By taking advantage of webpack's DefinePlugin, we can make sure this library is only included in certain environments, keeping the production bundle size small.
This library is NOT meant as a secure password authentication wrapper, but rather as a way to keep nosey people out.
Installation
1yarn add next-password-protect 2# or 3npm install next-password-protect
Usage
There are 3 steps to enabling password protect: setting a global variable, adding the API routes, and adding the HOC to _app.
Step 1
In order to be able to take advantage of dead code elimination, it is recommended to add an environment variable like process.env.PASSWORD_PROTECT, and enable the library based on that variable. To set this variable, add the following to next.config.js:
1module.exports = { 2 env: { 3 // Add any logic you want here, returning `true` to enable password protect. 4 PASSWORD_PROTECT: process.env.ENVIRONMENT === 'staging', 5 } 6});
Step 2
Add two api routes, one with the loginHandler and one with the passwordCheckHandler api function. You can name them anything, as long as you pass the names to loginApiUrl and checkApiUrl respectively, in the next step. By default it expects /login and /passwordCheck.
1import { loginHandler } from "next-password-protect"; 2 3export default loginHandler("YOUR_SECRET_PASSWORD", { 4 // Options go here (optional) 5 cookieName: "next-password-protect", 6});
1import { passwordCheckHandler } from "next-password-protect"; 2 3export default passwordCheckHandler("YOUR_SECRET_PASSWORD", { 4 // Options go here (optional) 5 cookieName: "next-password-protect", 6});
Step 3
Add the withPasswordProtect HOC to the default export of App in pages/_app.tsx:
1import { withPasswordProtect } from "next-password-protect"; 2 3// Before: export default App; 4export default process.env.PASSWORD_PROTECT 5 ? withPasswordProtect(App, { 6 // Options go here (optional) 7 loginApiUrl: "/login", 8 }) 9 : App;
Note: make sure to specify loginApiUrl and/or checkApiUrl if the api route(s) are not default.
API
API routes handlers
loginHandler(password: string, options)
The options object can contain any of the following options:
| Option | Description | Default value |
|---|---|---|
cookieMaxAge | Cookie Max-Age attribute | undefined |
cookieName | The name of the authorization cookie | 'next-password-protect' |
cookieSameSite | SameSite cookie attribute | false |
cookieSecure | Secure flag on the cookie | process.env.NODE_ENV === 'production' |
passwordCheckHandler(password: string, options)
The options object can contain any of the following options:
| Option | Description | Default value |
|---|---|---|
cookieName | The name of the authorization cookie | 'next-password-protect' |
Next App HOC
withPasswordProtect(App: NextApp, options)
The options object can contain any of the following options:
| Option | Description | Default value |
|---|---|---|
checkApiUrl | Relative path of the api route handled by passwordCheckHandler | '/api/passwordCheck' |
loginApiUrl | Relative path of the api route handled by loginHandler | '/api/login' |
loginComponent | Supply your own React component to show as login prompt | LoginComponent |
loginComponentProps | Properties object to customize the login prompt, without overriding the entire component (see below) | {} |
bypassProtection | Bypass protection for specific routes, decided by callback with NextRouter param | ({ route }) => false |
The loginComponentProps object can contain any of the following options:
| Option | Description | Default value |
|---|---|---|
backUrl | Show a link with this URL to go back to main website | undefined |
buttonBackgroundColor | Login button background color | '#01EDBC' |
buttonColor | Login button color | '#111' |
logo | Show a logo above the prompt (img src) | undefined |
Advanced
Custom login component
To change the default login component, a React component can be supplied to the withPasswordProtect HOC. In order for the library to function properly, make sure your login component has password input that is validated by the the api route.
You can use src/hoc/LoginComponent.tsx as a starting point.
Caveats
AMP is not yet supported, because the LoginComponent failed AMP validation. On an AMP page, nothing is rendered. This could be fixed by changing LoginComponent to valid AMP.
No vulnerabilities found.
No security vulnerabilities found.