How to

Setup

Project Configuration Branding Updating the Logo Updating the Fonts Updating the Favicons Environment variables Setting up Emails

Marketing Pages

Updating the Navigation menu Adding Pages

User Interface

Dark Theme Theming

Application Pages

Adding Pages Updating the Sidebar menu Passing data from server to client Guarding Pages

Authentication

Change Authentication strategy Require Email Verification

API Routes

Adding API Routes Guarding an API Route Calling API Routes from the client Checking CSRF Tokens

Contextual Data

Fetching the signed in User Fetching the selected Organization

Reading Data

Reading a Document Reading a list of Documents

Writing Data

Creating a Document Updating a Document Deleting a Document

Payments

Configuring Plans Running the Stripe Webhook locally Using Lemon Squeezy instead of Stripe

Translations

Adding a new translation string Setting a Default Language Adding a new language Using the Language Switcher Detect current Locale

Getting Started

Introduction Technical Details Clone the repository Running the application Coding Conventions

Configuration

Global Configuration Setting up your Firebase Project Feature Flags Setting up Firebase Functions

Architecture

Architecture and Folder Structure Structure your Application Data Model

UI

Tailwind CSS Shadcn UI Themes

Authentication

Auth Overview Setting up Firebase Auth Auth Flow Third-Party Providers Email Link Authentication Multi-Factor Authentication Requiring Email verification Auth SSR Page Guards API Guards Prevent abuse with AppCheck Custom React Hooks Troubleshooting

Data Fetching

Writing data to Firestore Fetching data from Firestore API requests Reading data from Storage Uploading data to Storage Writing your own Fetch

Development

Building Features Commands Code Style Security Rules Translations and Locales Sending Emails Writing API Routes Validating API payload with Zod Logging Enable CORS Encrypting Secrets User Roles

Payments

Stripe Configuration Stripe Webhooks One-Time Payments Migrate to Lemon Squeezy Disable Stripe

Admin

Overview Adding Admins

Blog and Docs

Overview Blog Documentation Search Functionality

Organizations

Overview Extending Organizations User Permissions Subscription Permissions Custom React Hooks

Utilities

MDX React Hooks

Migrations

Migrating to 0.11.0

Testing

Running Tests CI Tests Limitations

Going to Production

Production Checklist Environment Variables Security Rules

Plugins

Cookie Banner Feedback Popup AI Chatbot

API Reference

Reactfire useCurrentOrganization useCurrentUserRole useUserSession useIsSubscriptionActive withAppProps withTranslationProps withAuthProps withPipe withMethodsGuard withAuthedUser withExceptionFilter withCsrf

Documentation
Next.js Firebase
Checking CSRF Tokens

Checking CSRF Tokens

How to check CSRF tokens in your Next.js Firebase API routes using the "withCsrf" HOC.

You can use the withCsrf HOC to ensure only users with a valid CSRF token can access your API routes.

The CSRF token must be sent in the x-csrf-token header of the request. If the token is not present, or if it's invalid, the request will be rejected.

pages/api/hello.ts


import { NextApiRequest, NextApiResponse } from "next";
 
import { withAuthedUser } from '~/core/middleware/with-authed-user';
import { withMethodsGuard } from '~/core/middleware/with-methods-guard';
import { withPipe } from '~/core/middleware/with-pipe';
import withCsrf from "./with-csrf";
 
function helloWorldHandler(
  req: NextApiRequest,
  res: NextApiResponse
) {
  res.status(200).json({ text: 'Hello' })
}
 
export default withPipe(
  withAuthedUser,
  withMethodsGuard(['POST']),
  withCsrf(),
  helloWorldHandler,
);

If you pass the CSRF token in different ways, you can pass a function to the withCsrf HOC to retrieve the token from the request.

pages/api/hello.ts


import { NextApiRequest, NextApiResponse } from "next";
 
import { withAuthedUser } from '~/core/middleware/with-authed-user';
import { withMethodsGuard } from '~/core/middleware/with-methods-guard';
import { withPipe } from '~/core/middleware/with-pipe';
import withCsrf from "./with-csrf";
 
async function helloWorldHandler(
  req: NextApiRequest,
  res: NextApiResponse
) {
  await withCsrf(req, () => req.body.csrfToken);
 
  res.status(200).json({ text: 'Hello' })
}
 
export default withPipe(
  withAuthedUser,
  withMethodsGuard(['POST']),
  helloWorldHandler,
);

PreviousCalling API Routes from the client-side using SWE

Subscribe to our Newsletter

Get the latest updates about React, Remix, Next.js, Firebase, Supabase and Tailwind CSS