Cookies

This website uses cookies to ensure you get the best experience on our website.

Guide

Route Authentication & Authorization Guide

Routes define how your website responds to URLs. Sometimes, routes need security measures to control who can access them. This is done using Authentication and Authorization.

This guide explains both concepts, their differences, and how to configure them.

1. Understanding Route Security

Why we secure routes:

  • Prevent unauthorized users from accessing sensitive pages.
  • Ensure only the right roles or users perform certain actions.
  • Protect your store data and modules from unintended changes.

There are two main aspects of route security:

  1. Authentication – verifies who the user is.
  2. Authorization – determines what the user can do.

2. Authentication

Authentication ensures that the user is logged in before accessing certain routes.

Key points:

  • Public routes do not require login.
  • Protected routes require the user to log in.
  • Example: Only logged-in users can view their order history.

Steps to configure authentication for a route:

  1. Navigate to the Routes section.
  2. Select the route you want to secure.
  3. Enable Authentication.
  4. Save the route.

After this, any unauthenticated user trying to access the route will be redirected to the login page.

3. Authorization

Authorization ensures that only users with the appropriate roles or permissions can access a route or perform an action.

Key points:

  • Determines what logged-in users can do.
  • Works in combination with authentication.
  • Example: Only users with the "Admin" role can delete blog posts.

Steps to configure authorization for a route:

  1. Ensure the route is authenticated (user must log in).
  2. Select Authorization options.
  3. Assign roles or permissions allowed to access the route:
    • Admin
    • Editor
    • Viewer
  4. Save the route.

Users not in the allowed roles will see an access denied message when trying to access the route.

4. Example Workflow

Scenario: You want to secure the route /admin/dashboard:

  1. Navigate to Routes/admin/dashboard.
  2. Enable Authentication → Only logged-in users can access.
  3. Enable Authorization → Allow Admin role only.
  4. Save changes.

Result:

  • Unauthenticated users → redirected to login page.
  • Logged-in users with role Editor → access denied.
  • Logged-in users with role Admin → full access.

5. Best Practices

  • Always enable authentication for sensitive routes.
  • Use role-based authorization to control access granularity.
  • Keep a list of roles and permissions updated in your system.
  • Test secured routes to ensure unauthorized access is blocked.
  • Combine with route conditions to further filter access dynamically (e.g., based on module data or schedule).

Route authentication and authorization help maintain security and control over your store while ensuring the right users have access to the right features.

Previous Article