Protected Routes — ODAC.JS Docs
Docs / ODAC.JS / Backend / Routing / Protected Routes

🔐 Authentication-Aware Routes

These methods let you define routes that require authentication. Only logged-in users can access these routes.

auth.page(path, controller)

Defines a page route that requires authentication.

// Only authenticated users can access the dashboard
Odac.Route.auth.page('/dashboard', 'dashboard.index');

auth.page(path, viewConfig)

Defines a controller-less page route that requires authentication.

// Only authenticated users can see this view
Odac.Route.auth.page('/profile', {
  skeleton: 'main',
  head: 'profile.head',
  content: 'profile',
  script: 'profile'
});

auth.get(path, controller, options)

Defines a GET route that requires authentication.

// API endpoint for authenticated users only
Odac.Route.auth.get('/api/user/profile', 'api.user.profile');

auth.post(path, controller, options)

Defines a POST route that requires authentication.

// Only authenticated users can update their profile
Odac.Route.auth.post('/api/user/update', 'api.user.update');

CSRF Token Protection

By default, all POST and GET routes have CSRF token protection enabled. You can disable it with the token option:

// Disable CSRF token check for this route
Odac.Route.auth.post('/api/webhook', 'api.webhook', {token: false});