Does Remix have any protection against parsers/bots that extract data from the loader? #8908
Replies: 3 comments 6 replies
-
At the moment, Remix doesn't support Middleware (which would run before your loaders), but it is on the Roadmap. #7642 There are a couple of options:
export async function loader({request}: LoaderFunctionArgs) {
const apiKey = await requireApiKey(request)
//... do something with key
}
async function requireApiKey(request: Request) {
const authHeader = request.headers.get('Authorization')
const apiKey = await checkAuthHeader(authHeader)
if (!apiKey) {
throw json({ error: 'Invalid API key'}, { status: 401 })
}
return apiKey
}
// server.js
// ...
app.all("*", handleRequest);
function handleRequest(req, res, next) {
if (req.path.startsWith("/api/")) {
const authHeader = req.headers["authorization"];
const apiKey = checkAuthHeader(authHeader);
if (!apiKey) {
res.status(401).json({ error: "Invalid API Key" });
return;
}
}
return remixHandler(req, res, next);
} |
Beta Was this translation helpful? Give feedback.
-
Yes, the main problem is that the UI component receives data through a special request to the remix application, and this request can be used by bots/parsers to retrieve data bypassing html. I'd like to somehow make it harder for bots to get not json data from loader, but for example ready html or encrypted data that will be decrypted inside the component. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
I'm wondering if there is any protection against accessing
loader()
results directly via a special http request like:http://localhost:3000/hello?_data=routes/_test
which freely returns my json data to be used by parsers or bots.
I would like to provide a separate paid API service and complicate such parsing available through the remix app.
Beta Was this translation helpful? Give feedback.
All reactions