Passing autherization header for page-data/app-data requests

[arunrajnayak]

Is there a way we can pass authorization headers to all requests for page-data/app-data, for handling authentication?

[LekoArts]

Thank you for opening this!

Have you already read our guide on this? https://www.gatsbyjs.org/docs/building-a-site-with-authentication/
You will need to use client-only routes to achieve authenticated routes as passing headers like you proposed won't be enough/won't work.

We're marking this issue as answered and closing it for now but please feel free to comment here if you would like to continue this discussion. We also recommend heading over to our communities if you have questions that are not bug reports or feature requests. We hope we managed to help and thank you for using Gatsby!

[arunrajnayak]

Yes. I did try it. But the issue with that was, the content is still exposed in one of the page js file. I want to avoid that, as one can still access this file without authentication

[huyz]

I have the exact same question, with the exact same issue. And I think most people
misunderstand the question because they conflate protecting routes with protecting
static content (i.e. the sensitive page-data.json for certain subpaths).

I would think it's possible that the Gatsby SPA could pass an
Authorization header, when retrieving the static JSON from some subpath of
/public (in Gatsby, the JSON contains the pages' actual content that it uses
to hydrate the HTML pages), that the Apache OpenID Connect
module would check with an identity provider, e.g. "login with Google".
Every blog article or code sample only talks about adding authentication for making API calls and not for
protecting static content. Even Gatsby's docs claims [bold added]:

Gatsby is a little different from a traditional React app in how its routes
and pages are created. Because static HTML files generated by Gatsby sit on a
file server, you cannot programmatically control access to those files (for
example: a user could guess or type in a URL and navigate straight to the page).
As the section from the Adding App and Website functionality overview page
demonstrates, client-only routes can be created to route a user between pages
using a React-based router, as opposed to navigating between different static
HTML files on a server.

But if the Gatsby SPA programmatically added an Authorization header after a
user had successfully logged into, say, Google, then the Apache module could at
runtime allow/deny access to any files found under a predetermined path, such as
/public/page-data/content/private, including any sensitive page-data.json.

[huyz]

@arunrajnayak did you find a solution?

[huyz]

Ah this is where the meat of the discussion is: #1100