ZTS Docs

Proxy & route protection

Request handling in apps/web/src/proxy.ts (Next.js proxy).

Route protection and root-path rewriting live in apps/web/src/proxy.ts. In Next.js 16+ this replaces the older middleware.ts filename; behavior is the same class of edge/proxy logic.

Root path handling (/)

There is no page.tsx at /. The proxy intercepts / and:

  1. Checks for a Better Auth session cookie.
  2. Rewrites to /app when a session exists (browser URL stays /).
  3. Rewrites to /home when no session exists.

Logged-in users can still open /home explicitly.

Route protection

  1. Session cookiegetSessionCookie from better-auth/cookies.
  2. Path listsauthRoutes, passwordRoutes, adminRoutes, alwaysAllowedRoutes (e.g. /home, /blog).
  3. Redirects
    • No session: allow auth/password routes; otherwise redirect to /signin.
    • Active session: redirect away from auth/password routes to /.
    • Admin routes: fetch session from /api/auth/get-session and require role === 'admin', else redirect to /.

Admin routes

Proxy checks on /admin are UX only. Real enforcement is adminProcedure in packages/trpc/src/trpc.ts, which throws UNAUTHORIZED if ctx.session.user.role !== 'admin'.

Folder Structure

Monorepo layout and Next.js App Router conventions in apps/web.

User Roles

Understanding user and admin roles in your application

On this page