[{"data":1,"prerenderedAt":211},["ShallowReactive",2],{"navigation_docs":3,"-core-concepts-security-caveats":129,"-core-concepts-security-caveats-surround":206},[4,34,63,80,101,110],{"title":5,"path":6,"stem":7,"children":8,"page":33},"Getting Started","/getting-started","1.getting-started",[9,13,17,21,25,29],{"title":10,"path":11,"stem":12},"Quickstart","/getting-started/quickstart","1.getting-started/0.quickstart",{"title":14,"path":15,"stem":16},"Installation","/getting-started/installation","1.getting-started/1.installation",{"title":18,"path":19,"stem":20},"Server Configuration","/getting-started/configuration","1.getting-started/2.configuration",{"title":22,"path":23,"stem":24},"Client Setup","/getting-started/client-setup","1.getting-started/3.client-setup",{"title":26,"path":27,"stem":28},"Type Augmentation","/getting-started/type-augmentation","1.getting-started/4.type-augmentation",{"title":30,"path":31,"stem":32},"Schema Generation","/getting-started/schema-generation","1.getting-started/5.schema-generation",false,{"title":35,"path":36,"stem":37,"children":38,"page":33},"Core Concepts","/core-concepts","2.core-concepts",[39,43,47,51,55,59],{"title":40,"path":41,"stem":42},"How It Works","/core-concepts/how-it-works","2.core-concepts/0.how-it-works",{"title":44,"path":45,"stem":46},"`serverAuth()`","/core-concepts/server-auth","2.core-concepts/1.server-auth",{"title":48,"path":49,"stem":50},"Sessions","/core-concepts/sessions","2.core-concepts/2.sessions",{"title":52,"path":53,"stem":54},"Route Protection","/core-concepts/route-protection","2.core-concepts/3.route-protection",{"title":56,"path":57,"stem":58},"Auto‑Imports and Aliases","/core-concepts/auto-imports-aliases","2.core-concepts/4.auto-imports-aliases",{"title":60,"path":61,"stem":62},"Security & Caveats","/core-concepts/security-caveats","2.core-concepts/5.security-caveats",{"title":64,"path":65,"stem":66,"children":67,"page":33},"Guides","/guides","3.guides",[68,72,76],{"title":69,"path":70,"stem":71},"Role‑Based Access","/guides/role-based-access","3.guides/1.role-based-access",{"title":73,"path":74,"stem":75},"Protecting API Routes","/guides/api-protection","3.guides/2.api-protection",{"title":77,"path":78,"stem":79},"Database Dialects","/guides/custom-dialects","3.guides/3.custom-dialects",{"title":81,"path":82,"stem":83,"children":84,"page":33},"API Reference","/api","4.api",[85,89,93,97],{"title":86,"path":87,"stem":88},"Composables","/api/composables","4.api/1.composables",{"title":90,"path":91,"stem":92},"Server Utilities","/api/server-utils","4.api/2.server-utils",{"title":94,"path":95,"stem":96},"Components","/api/components","4.api/3.components",{"title":98,"path":99,"stem":100},"Types","/api/types","4.api/4.types",{"title":102,"path":103,"stem":104,"children":105,"page":33},"Troubleshooting","/troubleshooting","5.troubleshooting",[106],{"title":107,"path":108,"stem":109},"FAQ","/troubleshooting/faq","5.troubleshooting/1.faq",{"title":111,"path":112,"stem":113,"children":114},"Better Auth","/better-auth","6.better-auth",[115,117,121,125],{"title":111,"path":112,"stem":116},"6.better-auth/index",{"title":118,"path":119,"stem":120},"OAuth & Social Providers","/better-auth/oauth","6.better-auth/1.oauth",{"title":122,"path":123,"stem":124},"Plugins","/better-auth/plugins","6.better-auth/2.plugins",{"title":126,"path":127,"stem":128},"Client Plugins (Exports)","/better-auth/client-plugins","6.better-auth/3.client-plugins",{"id":130,"title":60,"body":131,"description":199,"extension":200,"links":201,"meta":202,"navigation":203,"path":61,"seo":204,"stem":62,"__hash__":205},"docs/2.core-concepts/5.security-caveats.md",{"type":132,"value":133,"toc":192},"minimark",[134,139,148,151,155,167,178,182],[135,136,138],"h2",{"id":137},"client-redirects-are-not-security","Client redirects are not security",[140,141,142,143,147],"p",{},"The global route middleware protects ",[144,145,146],"strong",{},"pages"," by redirecting users on the client. This is for UX, not a security boundary.",[140,149,150],{},"If you have sensitive data, enforce access on the server (API handlers, server routes, DB queries).",[135,152,154],{"id":153},"api-enforcement-behavior","API enforcement behavior",[140,156,157,158,162,163,166],{},"The built-in Nitro middleware only checks ",[159,160,161],"code",{},"routeRules.role"," for ",[159,164,165],{},"/api/**",".",[140,168,169,170,173,174,177],{},"If you want different behavior (e.g. enforce ",[159,171,172],{},"auth: 'user'"," for APIs), add your own Nitro middleware and/or call ",[159,175,176],{},"requireUserSession(event)"," directly inside handlers.",[135,179,181],{"id":180},"default-login-route","Default login route",[140,183,184,185,188,189,191],{},"Unauthenticated users are redirected to ",[159,186,187],{},"/login"," when a page requires auth. If your app uses a different login path, create a ",[159,190,187],{}," route or implement your own route middleware.",{"title":193,"searchDepth":194,"depth":194,"links":195},"",2,[196,197,198],{"id":137,"depth":194,"text":138},{"id":153,"depth":194,"text":154},{"id":180,"depth":194,"text":181},"What is enforced where, and what you should not assume.","md",null,{},true,{"title":60,"description":199},"MKtH6V5_cqvuGKXQQUWGN4RBbobOy-SCnSLGu39delM",[207,209],{"title":56,"path":57,"stem":58,"description":208,"children":-1},"What the module registers for you.",{"title":69,"path":70,"stem":71,"description":210,"children":-1},"Enforce roles on pages and server handlers.",1765664061867]