Update README

2026-06-04 21:04:37 +08:00 · 2025-03-23 03:03:11 -07:00 · 2025-03-23 03:03:11 -07:00 · 6398859734
commit 6398859734
parent a0e32c0fbd
2 changed files with 22 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -135,10 +135,11 @@ pnpm build:packages
 pnpm codegen

 # Start the dependencies (DB, Inbucket, etc.) as Docker containers, seeding the DB with the Prisma schema
+# Make sure you have Docker (or OrbStack) installed and running
 pnpm restart-deps
 # restart-deps is the same as:
-#   pnpm run stop-deps  (if the containers are already running)
-#   pnpm run start-deps
+#   pnpm stop-deps  (if the containers are already running)
+#   pnpm start-deps

 # Start the dev server
 pnpm dev
--- a/docs/fern/docs/pages-template/getting-started/users.mdx
+++ b/docs/fern/docs/pages-template/getting-started/users.mdx
@ -56,24 +56,6 @@ Middleware can be used whenever it is easy to tell whether a page should be prot


 <Tabs>
-  <Tab title="Middleware">
-    ```tsx title="middleware.tsx"
-    export async function middleware(request: NextRequest) {
-      const user = await stackServerApp.getUser();
-      if (!user) {
-        return NextResponse.redirect(new URL('/handler/sign-in', request.url));
-      }
-      return NextResponse.next();
-    }
-
-    export const config = {
-      // You can add your own route protection logic here
-      // Make sure not to protect the root URL, as it would prevent users from accessing static Next.js files or Stack's /handler path
-      matcher: '/protected/:path*',
-    };
-    ```
-  </Tab>
-
  <Tab title="Client Component">
    ```tsx title="my-protected-client-component.tsx"
    "use client";
@ -96,6 +78,24 @@ Middleware can be used whenever it is easy to tell whether a page should be prot
    }
    ```
  </Tab>
+
+  <Tab title="Middleware">
+    ```tsx title="middleware.tsx"
+    export async function middleware(request: NextRequest) {
+      const user = await stackServerApp.getUser();
+      if (!user) {
+        return NextResponse.redirect(new URL('/handler/sign-in', request.url));
+      }
+      return NextResponse.next();
+    }
+
+    export const config = {
+      // You can add your own route protection logic here
+      // Make sure not to protect the root URL, as it would prevent users from accessing static Next.js files or Stack's /handler path
+      matcher: '/protected/:path*',
+    };
+    ```
+  </Tab>
 </Tabs>

 <Note>
@ -109,7 +109,7 @@ Middleware can be used whenever it is easy to tell whether a page should be prot
  
    To remediate this, every component/page that contains sensitive information should protect itself, instead of relying on an outer layout. This is good practice anyways; it prevents you from accidentally exposing the data.
  
-  - **Middleware**: Because middleware runs on the edge, it ensures that the protected URLs are not accessible to anyone who is not authorized, so you don't have to worry about Next.js pre-sending unprotected components to the client.
+  - **Middleware**: Prior to Next.js v15.2.3, Next.js allowed attackers to see unprotected components if you only protect on a middleware level. Since v15.2.3, this is no longer possible, and you don't have to worry about leaking sensitive information when using middleware to protect a route.
  
  No matter which method you use, attackers will never be able to, say, impersonate a user.