← Back to Skills Marketplace
Route Protection
by
Bovin Phang
· GitHub ↗
· v2.5.0
· MIT-0
39
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install fec-route-protection
Description
Use when implementing or reviewing frontend route protection, auth guards, RBAC, permission routes, login state handling, redirects, middleware, React Router...
README (SKILL.md)
路由保护
Purpose
为前端应用建立清晰的认证、授权和重定向边界,避免越权访问与闪烁渲染。
When to Use
- 页面需要登录后访问,或不同角色看到不同路由。
- 需要实现 React Router、Next.js、Nuxt 或 Vue Router 的路由守卫。
- 登录过期、权限不足、组织/租户切换需要统一处理。
- 不用于替代服务端授权;前端路由保护只能改善体验,不能作为唯一安全边界。
Procedure
1. 定义认证与授权状态
export type AuthStatus = "loading" | "anonymous" | "authenticated";
export interface CurrentUser {
id: string;
roles: string[];
permissions: string[];
}
export function canAccess(user: CurrentUser, required: string[]) {
return required.every((permission) => user.permissions.includes(permission));
}
2. React Router 使用布局守卫
import { Navigate, Outlet, useLocation } from "react-router-dom";
interface ProtectedRouteProps {
requiredPermissions?: string[];
}
export function ProtectedRoute({ requiredPermissions = [] }: ProtectedRouteProps) {
const location = useLocation();
const { status, user } = useAuth();
if (status === "loading") return \x3CRouteLoading />;
if (status === "anonymous") {
return \x3CNavigate to="/login" replace state={{ from: location }} />;
}
if (requiredPermissions.length > 0 && !canAccess(user, requiredPermissions)) {
return \x3CNavigate to="/403" replace />;
}
return \x3COutlet />;
}
const router = createBrowserRouter([
{
element: \x3CProtectedRoute requiredPermissions={["orders:read"]} />,
children: [{ path: "/orders", element: \x3COrdersPage /> }],
},
]);
3. Next.js 优先在服务端边界处理
// middleware.ts
import { NextResponse, type NextRequest } from "next/server";
export function middleware(request: NextRequest) {
const token = request.cookies.get("session")?.value;
const isPrivateRoute = request.nextUrl.pathname.startsWith("/dashboard");
if (isPrivateRoute && !token) {
const loginUrl = new URL("/login", request.url);
loginUrl.searchParams.set("redirect", request.nextUrl.pathname);
return NextResponse.redirect(loginUrl);
}
return NextResponse.next();
}
export const config = {
matcher: ["/dashboard/:path*"],
};
对需要精细权限的 App Router 页面,在 server component 或 server action 中重新校验权限,不依赖客户端状态。
4. Vue Router / Nuxt 使用导航守卫
router.beforeEach(async (to) => {
const auth = useAuthStore();
if (auth.status === "unknown") await auth.fetchCurrentUser();
if (to.meta.requiresAuth && !auth.user) {
return { path: "/login", query: { redirect: to.fullPath } };
}
const required = to.meta.permissions as string[] | undefined;
if (required?.length && !auth.canAccess(required)) {
return { path: "/403" };
}
});
5. 统一失败与跳转体验
401:清理过期会话,跳转登录页并保留redirect。403:进入无权限页,不反复重试。loading:渲染稳定骨架屏,避免先显示私有内容再跳转。- 登录成功:只跳转到同源且允许的路径,防止 open redirect。
- RBAC:权限矩阵来自可信会话或后端返回;前端只用于路由体验和 UI 裁剪,不能替代接口授权。
- 会话刷新:401 刷新失败后统一清理状态;避免多个并发请求各自触发跳转或刷新风暴。
Constraints
- 前端路由保护不是安全边界;API、SSR loader、server action 必须重复做授权校验。
- 不要在组件渲染后用
useEffect才跳转私有页面,否则会出现敏感内容闪烁。 - redirect 参数必须限制为站内路径,不能直接信任 URL 输入。
- 权限信息应来自可信会话或后端响应,不要只依赖 localStorage 中的角色字段。
- 多租户应用必须把 tenant/org 上下文纳入权限判断。
- 不把菜单隐藏视为授权完成;用户直接访问 URL、刷新页面、篡改 localStorage 和替换 tenant 都必须验证。
Expected Output
产出一套路由守卫实现,覆盖 loading、未登录、权限不足、登录后回跳和会话过期。验证时直接访问私有 URL、刷新页面、切换角色、篡改 redirect 参数,确认行为稳定且 API 仍有服务端授权。
Usage Guidance
This skill appears safe to install as a reference guide. Treat its code snippets as examples to adapt and still enforce authorization on APIs, loaders, server actions, and backend routes.
Capability Assessment
Purpose & Capability
The skill’s purpose is coherent: it guides implementation and review of frontend route guards, RBAC checks, redirects, and related auth patterns. The included examples are aligned with that purpose.
Instruction Scope
Instructions are scoped to frontend security design and explicitly warn that frontend route protection is not a substitute for server-side authorization.
Install Mechanism
The artifact contains only SKILL.md, README.md, metadata.json, and package.json. No install scripts, executable files, or runtime hooks are present.
Credentials
No API keys, tokens, local profiles, browser sessions, or external service credentials are requested.
Persistence & Privilege
No persistence, background workers, privilege escalation, file mutation, network automation, or account-impacting actions are defined.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install fec-route-protection - After installation, invoke the skill by name or use
/fec-route-protection - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.5.0
Version 2.5.0
- Expanded documentation in SKILL.md with detailed guidance for frontend route protection across React Router, Next.js, Vue Router, and Nuxt.
- Added clear definitions for authentication states, RBAC, and permission checks.
- Provided practical code examples for server-side and client-side route guards.
- Clarified security constraints, best practices, and failure-handling patterns.
- Emphasized the distinction between frontend protection and true server-side authorization.
Metadata
Frequently Asked Questions
What is Route Protection?
Use when implementing or reviewing frontend route protection, auth guards, RBAC, permission routes, login state handling, redirects, middleware, React Router... It is an AI Agent Skill for Claude Code / OpenClaw, with 39 downloads so far.
How do I install Route Protection?
Run "/install fec-route-protection" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Route Protection free?
Yes, Route Protection is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Route Protection support?
Route Protection is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Route Protection?
It is built and maintained by Bovin Phang (@bovinphang); the current version is v2.5.0.
More Skills