Can I use navigation guards with Navigator 2.0 without GoRouter?

Yes, you can implement a custom `RouterDelegate` that listens to the BLoC state and updates the route stack accordingly. However, GoRouter simplifies this greatly and is recommended.

How do I handle deep links that point to protected routes?

In GoRouter, the `redirect` function will also run for deep links, so you can redirect unauthenticated users to login and then redirect back after login. You'll need to preserve the original location.

Should I store the auth state in a global BLoC or use a provider?

A single `AuthBloc` at the top of the widget tree is typical. Use `BlocProvider` to make it available everywhere. For role-based guards, you can read the user from the same state.

How do I test navigation guards?

Use `blocTest` to verify that the correct states are emitted. For widget tests, use `tester.pumpWidget` with a mocked `AuthBloc` and verify that the expected route is shown after navigation.

BLoC Navigation Guards: Protect Routes with Authentication & Authorization - Learn FLUTTER | Revochamp

Name: BLoC Navigation Guards: Protect Routes with Authentication & Authorization
Availability: InStock
Author: Revochamp

What are Navigation Guards?

Navigation guards are mechanisms that control access to certain routes based on conditions like authentication status, user roles, or feature flags. They prevent unauthorized users from accessing protected screens and redirect them to login or permission-denied pages. In BLoC architecture, navigation guards are implemented by observing the auth state and conditionally navigating or using route observers to intercept navigation attempts.

Why Use BLoC for Navigation Guards?

Centralized Auth State – BLoC holds the single source of truth for authentication.
Reactive Navigation – Guards automatically respond to state changes (e.g., logout redirects to login).
Separation of Concerns – Navigation logic stays in the UI layer; BLoC only manages state.
Testability – Auth state changes can be tested independently of navigation.
Consistency – Ensure all routes are protected using the same auth state.

Setup: Authentication BLoC

First, create an authentication BLoC that manages the user's auth state. This will be the source for all navigation decisions.

DARTRead-only

// auth_state.dart
enum AuthStatus { unknown, authenticated, unauthenticated }

class AuthState extends Equatable {
  final AuthStatus status;
  final User? user;
  final String? error;

  const AuthState({this.status = AuthStatus.unknown, this.user, this.error});

  AuthState copyWith({AuthStatus? status, User? user, String? error}) {
    return AuthState(
      status: status ?? this.status,
      user: user ?? this.user,
      error: error ?? this.error,
    );
  }

  @override
  List<Object?> get props => [status, user, error];
}

// auth_event.dart
abstract class AuthEvent extends Equatable { ... }
class AppStarted extends AuthEvent {}
class LoggedIn extends AuthEvent { final User user; ... }
class LoggedOut extends AuthEvent {}

// auth_bloc.dart
class AuthBloc extends Bloc<AuthEvent, AuthState> {
  AuthBloc() : super(const AuthState()) {
    on<AppStarted>(_onAppStarted);
    on<LoggedIn>(_onLoggedIn);
    on<LoggedOut>(_onLoggedOut);
  }
  // ... implementation
}

// auth_state.dart
enum AuthStatus { unknown, authenticated, unauthenticated }

class AuthState extends Equatable {
  final AuthStatus status;
  final User? user;
  final String? error;

  const AuthState({this.status = AuthStatus.unknown, this.user, this.error});

  AuthState copyWith({AuthStatus? status, User? user, String? error}) {
    return AuthState(
      status: status ?? this.status,
      user: user ?? this.user,
      error: error ?? this.error,
    );
  }

  @override
  List<Object?> get props => [status, user, error];
}

// auth_event.dart
abstract class AuthEvent extends Equatable { ... }
class AppStarted extends AuthEvent {}
class LoggedIn extends AuthEvent { final User user; ... }
class LoggedOut extends AuthEvent {}

// auth_bloc.dart
class AuthBloc extends Bloc<AuthEvent, AuthState> {
  AuthBloc() : super(const AuthState()) {
    on<AppStarted>(_onAppStarted);
    on<LoggedIn>(_onLoggedIn);
    on<LoggedOut>(_onLoggedOut);
  }
  // ... implementation
}

Navigation Guard with BlocListener (Imperative)

Place a BlocListener at the top of your widget tree to listen to auth state changes and redirect accordingly. This works with both Navigator 1.0 and 2.0.

DARTRead-only

class AppRouter extends StatelessWidget {
  @override
  Widget build(BuildContext context) {
    return BlocListener<AuthBloc, AuthState>(
      listener: (context, state) {
        if (state.status == AuthStatus.authenticated) {
          // User is logged in, navigate to home if currently on login/splash
          if (ModalRoute.of(context)?.settings.name == '/login') {
            Navigator.pushReplacementNamed(context, '/home');
          }
        } else if (state.status == AuthStatus.unauthenticated) {
          // User is logged out, navigate to login
          Navigator.pushReplacementNamed(context, '/login');
        }
      },
      child: MaterialApp(
        initialRoute: '/splash',
        routes: {
          '/splash': (context) => SplashPage(),
          '/login': (context) => LoginPage(),
          '/home': (context) => HomePage(),
          '/profile': (context) => ProfilePage(),
        },
      ),
    );
  }
}

class AppRouter extends StatelessWidget {
  @override
  Widget build(BuildContext context) {
    return BlocListener<AuthBloc, AuthState>(
      listener: (context, state) {
        if (state.status == AuthStatus.authenticated) {
          // User is logged in, navigate to home if currently on login/splash
          if (ModalRoute.of(context)?.settings.name == '/login') {
            Navigator.pushReplacementNamed(context, '/home');
          }
        } else if (state.status == AuthStatus.unauthenticated) {
          // User is logged out, navigate to login
          Navigator.pushReplacementNamed(context, '/login');
        }
      },
      child: MaterialApp(
        initialRoute: '/splash',
        routes: {
          '/splash': (context) => SplashPage(),
          '/login': (context) => LoginPage(),
          '/home': (context) => HomePage(),
          '/profile': (context) => ProfilePage(),
        },
      ),
    );
  }
}

Protecting Individual Routes

For individual routes that should be guarded, you can check the auth state before navigating or use a custom RouteGuard widget that wraps the route content.

DARTRead-only

class ProtectedRoute extends StatelessWidget {
  final Widget child;
  const ProtectedRoute({required this.child});

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated) {
      return child;
    } else {
      // Redirect to login
      WidgetsBinding.instance.addPostFrameCallback((_) {
        Navigator.pushReplacementNamed(context, '/login');
      });
      return const Scaffold(body: Center(child: CircularProgressIndicator()));
    }
  }
}

// Usage in routes:
'/profile': (context) => ProtectedRoute(child: ProfilePage()),

class ProtectedRoute extends StatelessWidget {
  final Widget child;
  const ProtectedRoute({required this.child});

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated) {
      return child;
    } else {
      // Redirect to login
      WidgetsBinding.instance.addPostFrameCallback((_) {
        Navigator.pushReplacementNamed(context, '/login');
      });
      return const Scaffold(body: Center(child: CircularProgressIndicator()));
    }
  }
}

// Usage in routes:
'/profile': (context) => ProtectedRoute(child: ProfilePage()),

Integration with GoRouter (Declarative Navigation)

GoRouter is a modern routing package that works seamlessly with BLoC. You can define a redirect function that reads the BLoC state and determines the appropriate route.

DARTRead-only

import 'package:go_router/go_router.dart';

final router = GoRouter(
  initialLocation: '/',
  redirect: (context, state) {
    final authState = context.read<AuthBloc>().state;
    final isLoggedIn = authState.status == AuthStatus.authenticated;
    final isGoingToLogin = state.matchedLocation == '/login';

    if (!isLoggedIn && !isGoingToLogin) {
      return '/login';
    }
    if (isLoggedIn && isGoingToLogin) {
      return '/';
    }
    return null;
  },
  routes: [
    GoRoute(
      path: '/',
      builder: (context, state) => const HomePage(),
    ),
    GoRoute(
      path: '/login',
      builder: (context, state) => const LoginPage(),
    ),
    GoRoute(
      path: '/profile',
      builder: (context, state) => const ProfilePage(),
    ),
  ],
);

// In main:
runApp(BlocProvider(
  create: (_) => AuthBloc()..add(AppStarted()),
  child: MaterialApp.router(
    routerConfig: router,
  ),
));

import 'package:go_router/go_router.dart';

final router = GoRouter(
  initialLocation: '/',
  redirect: (context, state) {
    final authState = context.read<AuthBloc>().state;
    final isLoggedIn = authState.status == AuthStatus.authenticated;
    final isGoingToLogin = state.matchedLocation == '/login';

    if (!isLoggedIn && !isGoingToLogin) {
      return '/login';
    }
    if (isLoggedIn && isGoingToLogin) {
      return '/';
    }
    return null;
  },
  routes: [
    GoRoute(
      path: '/',
      builder: (context, state) => const HomePage(),
    ),
    GoRoute(
      path: '/login',
      builder: (context, state) => const LoginPage(),
    ),
    GoRoute(
      path: '/profile',
      builder: (context, state) => const ProfilePage(),
    ),
  ],
);

// In main:
runApp(BlocProvider(
  create: (_) => AuthBloc()..add(AppStarted()),
  child: MaterialApp.router(
    routerConfig: router,
  ),
));

Role-Based Guards (Authorization)

You can extend guards to check user roles. For example, only admin users can access an admin panel.

DARTRead-only

class RoleGuard extends StatelessWidget {
  final List<String> allowedRoles;
  final Widget child;
  final Widget? forbiddenWidget;

  const RoleGuard({
    required this.allowedRoles,
    required this.child,
    this.forbiddenWidget,
  });

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated &&
        allowedRoles.contains(authState.user?.role)) {
      return child;
    }
    return forbiddenWidget ??
        const Scaffold(
          body: Center(child: Text('Access Denied')),
        );
  }
}

// Usage in GoRouter:
GoRoute(
  path: '/admin',
  builder: (context, state) => RoleGuard(
    allowedRoles: ['admin'],
    child: AdminPage(),
  ),
);

class RoleGuard extends StatelessWidget {
  final List<String> allowedRoles;
  final Widget child;
  final Widget? forbiddenWidget;

  const RoleGuard({
    required this.allowedRoles,
    required this.child,
    this.forbiddenWidget,
  });

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated &&
        allowedRoles.contains(authState.user?.role)) {
      return child;
    }
    return forbiddenWidget ??
        const Scaffold(
          body: Center(child: Text('Access Denied')),
        );
  }
}

// Usage in GoRouter:
GoRoute(
  path: '/admin',
  builder: (context, state) => RoleGuard(
    allowedRoles: ['admin'],
    child: AdminPage(),
  ),
);

Best Practices

Use a single source of truth – Auth state should be managed in a single BLoC (or multiple if needed) and accessed via providers.
Redirect early – In GoRouter, the redirect function runs before building any route, preventing flicker.
Avoid side effects in builders – Use BlocListener or addPostFrameCallback for navigation to avoid calling during build.
Test guards – Verify that unauthenticated users cannot access protected routes in widget tests.
Combine with hydrated_bloc – Persist auth state across app restarts to maintain login.
Show loading states – While checking auth, display a splash screen to prevent UI jumps.

Common Mistakes

❌ Calling Navigator.push inside a build method – This will run multiple times, causing navigation loops. Use BlocListener or a post-frame callback.
❌ Not handling unknown auth state – App may try to navigate before auth state is resolved, causing redirect loops.
❌ Hardcoding routes in the BLoC – BLoC should not know about navigation; keep navigation logic in the UI layer.
❌ Forgetting to dispose of subscriptions – If using a stream to listen to auth changes, ensure it's closed.
❌ Not testing guard behavior – Always write tests to ensure protected routes redirect correctly.

Conclusion

Navigation guards are essential for securing your Flutter app. By combining BLoC's auth state with tools like BlocListener or GoRouter's redirect, you can implement robust authentication and authorization flows. These patterns keep your code maintainable and your app secure.

What are Navigation Guards?

Why Use BLoC for Navigation Guards?

Centralized Auth State – BLoC holds the single source of truth for authentication.
Reactive Navigation – Guards automatically respond to state changes (e.g., logout redirects to login).
Separation of Concerns – Navigation logic stays in the UI layer; BLoC only manages state.
Testability – Auth state changes can be tested independently of navigation.
Consistency – Ensure all routes are protected using the same auth state.

Setup: Authentication BLoC

First, create an authentication BLoC that manages the user's auth state. This will be the source for all navigation decisions.

DARTRead-only

// auth_state.dart
enum AuthStatus { unknown, authenticated, unauthenticated }

class AuthState extends Equatable {
  final AuthStatus status;
  final User? user;
  final String? error;

  const AuthState({this.status = AuthStatus.unknown, this.user, this.error});

  AuthState copyWith({AuthStatus? status, User? user, String? error}) {
    return AuthState(
      status: status ?? this.status,
      user: user ?? this.user,
      error: error ?? this.error,
    );
  }

  @override
  List<Object?> get props => [status, user, error];
}

// auth_event.dart
abstract class AuthEvent extends Equatable { ... }
class AppStarted extends AuthEvent {}
class LoggedIn extends AuthEvent { final User user; ... }
class LoggedOut extends AuthEvent {}

// auth_bloc.dart
class AuthBloc extends Bloc<AuthEvent, AuthState> {
  AuthBloc() : super(const AuthState()) {
    on<AppStarted>(_onAppStarted);
    on<LoggedIn>(_onLoggedIn);
    on<LoggedOut>(_onLoggedOut);
  }
  // ... implementation
}

// auth_state.dart
enum AuthStatus { unknown, authenticated, unauthenticated }

class AuthState extends Equatable {
  final AuthStatus status;
  final User? user;
  final String? error;

  const AuthState({this.status = AuthStatus.unknown, this.user, this.error});

  AuthState copyWith({AuthStatus? status, User? user, String? error}) {
    return AuthState(
      status: status ?? this.status,
      user: user ?? this.user,
      error: error ?? this.error,
    );
  }

  @override
  List<Object?> get props => [status, user, error];
}

// auth_event.dart
abstract class AuthEvent extends Equatable { ... }
class AppStarted extends AuthEvent {}
class LoggedIn extends AuthEvent { final User user; ... }
class LoggedOut extends AuthEvent {}

// auth_bloc.dart
class AuthBloc extends Bloc<AuthEvent, AuthState> {
  AuthBloc() : super(const AuthState()) {
    on<AppStarted>(_onAppStarted);
    on<LoggedIn>(_onLoggedIn);
    on<LoggedOut>(_onLoggedOut);
  }
  // ... implementation
}

Navigation Guard with BlocListener (Imperative)

Place a BlocListener at the top of your widget tree to listen to auth state changes and redirect accordingly. This works with both Navigator 1.0 and 2.0.

DARTRead-only

class AppRouter extends StatelessWidget {
  @override
  Widget build(BuildContext context) {
    return BlocListener<AuthBloc, AuthState>(
      listener: (context, state) {
        if (state.status == AuthStatus.authenticated) {
          // User is logged in, navigate to home if currently on login/splash
          if (ModalRoute.of(context)?.settings.name == '/login') {
            Navigator.pushReplacementNamed(context, '/home');
          }
        } else if (state.status == AuthStatus.unauthenticated) {
          // User is logged out, navigate to login
          Navigator.pushReplacementNamed(context, '/login');
        }
      },
      child: MaterialApp(
        initialRoute: '/splash',
        routes: {
          '/splash': (context) => SplashPage(),
          '/login': (context) => LoginPage(),
          '/home': (context) => HomePage(),
          '/profile': (context) => ProfilePage(),
        },
      ),
    );
  }
}

class AppRouter extends StatelessWidget {
  @override
  Widget build(BuildContext context) {
    return BlocListener<AuthBloc, AuthState>(
      listener: (context, state) {
        if (state.status == AuthStatus.authenticated) {
          // User is logged in, navigate to home if currently on login/splash
          if (ModalRoute.of(context)?.settings.name == '/login') {
            Navigator.pushReplacementNamed(context, '/home');
          }
        } else if (state.status == AuthStatus.unauthenticated) {
          // User is logged out, navigate to login
          Navigator.pushReplacementNamed(context, '/login');
        }
      },
      child: MaterialApp(
        initialRoute: '/splash',
        routes: {
          '/splash': (context) => SplashPage(),
          '/login': (context) => LoginPage(),
          '/home': (context) => HomePage(),
          '/profile': (context) => ProfilePage(),
        },
      ),
    );
  }
}

Protecting Individual Routes

For individual routes that should be guarded, you can check the auth state before navigating or use a custom RouteGuard widget that wraps the route content.

DARTRead-only

class ProtectedRoute extends StatelessWidget {
  final Widget child;
  const ProtectedRoute({required this.child});

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated) {
      return child;
    } else {
      // Redirect to login
      WidgetsBinding.instance.addPostFrameCallback((_) {
        Navigator.pushReplacementNamed(context, '/login');
      });
      return const Scaffold(body: Center(child: CircularProgressIndicator()));
    }
  }
}

// Usage in routes:
'/profile': (context) => ProtectedRoute(child: ProfilePage()),

class ProtectedRoute extends StatelessWidget {
  final Widget child;
  const ProtectedRoute({required this.child});

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated) {
      return child;
    } else {
      // Redirect to login
      WidgetsBinding.instance.addPostFrameCallback((_) {
        Navigator.pushReplacementNamed(context, '/login');
      });
      return const Scaffold(body: Center(child: CircularProgressIndicator()));
    }
  }
}

// Usage in routes:
'/profile': (context) => ProtectedRoute(child: ProfilePage()),

Integration with GoRouter (Declarative Navigation)

GoRouter is a modern routing package that works seamlessly with BLoC. You can define a redirect function that reads the BLoC state and determines the appropriate route.

DARTRead-only

import 'package:go_router/go_router.dart';

final router = GoRouter(
  initialLocation: '/',
  redirect: (context, state) {
    final authState = context.read<AuthBloc>().state;
    final isLoggedIn = authState.status == AuthStatus.authenticated;
    final isGoingToLogin = state.matchedLocation == '/login';

    if (!isLoggedIn && !isGoingToLogin) {
      return '/login';
    }
    if (isLoggedIn && isGoingToLogin) {
      return '/';
    }
    return null;
  },
  routes: [
    GoRoute(
      path: '/',
      builder: (context, state) => const HomePage(),
    ),
    GoRoute(
      path: '/login',
      builder: (context, state) => const LoginPage(),
    ),
    GoRoute(
      path: '/profile',
      builder: (context, state) => const ProfilePage(),
    ),
  ],
);

// In main:
runApp(BlocProvider(
  create: (_) => AuthBloc()..add(AppStarted()),
  child: MaterialApp.router(
    routerConfig: router,
  ),
));

import 'package:go_router/go_router.dart';

final router = GoRouter(
  initialLocation: '/',
  redirect: (context, state) {
    final authState = context.read<AuthBloc>().state;
    final isLoggedIn = authState.status == AuthStatus.authenticated;
    final isGoingToLogin = state.matchedLocation == '/login';

    if (!isLoggedIn && !isGoingToLogin) {
      return '/login';
    }
    if (isLoggedIn && isGoingToLogin) {
      return '/';
    }
    return null;
  },
  routes: [
    GoRoute(
      path: '/',
      builder: (context, state) => const HomePage(),
    ),
    GoRoute(
      path: '/login',
      builder: (context, state) => const LoginPage(),
    ),
    GoRoute(
      path: '/profile',
      builder: (context, state) => const ProfilePage(),
    ),
  ],
);

// In main:
runApp(BlocProvider(
  create: (_) => AuthBloc()..add(AppStarted()),
  child: MaterialApp.router(
    routerConfig: router,
  ),
));

Role-Based Guards (Authorization)

You can extend guards to check user roles. For example, only admin users can access an admin panel.

DARTRead-only

class RoleGuard extends StatelessWidget {
  final List<String> allowedRoles;
  final Widget child;
  final Widget? forbiddenWidget;

  const RoleGuard({
    required this.allowedRoles,
    required this.child,
    this.forbiddenWidget,
  });

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated &&
        allowedRoles.contains(authState.user?.role)) {
      return child;
    }
    return forbiddenWidget ??
        const Scaffold(
          body: Center(child: Text('Access Denied')),
        );
  }
}

// Usage in GoRouter:
GoRoute(
  path: '/admin',
  builder: (context, state) => RoleGuard(
    allowedRoles: ['admin'],
    child: AdminPage(),
  ),
);

class RoleGuard extends StatelessWidget {
  final List<String> allowedRoles;
  final Widget child;
  final Widget? forbiddenWidget;

  const RoleGuard({
    required this.allowedRoles,
    required this.child,
    this.forbiddenWidget,
  });

  @override
  Widget build(BuildContext context) {
    final authState = context.watch<AuthBloc>().state;
    if (authState.status == AuthStatus.authenticated &&
        allowedRoles.contains(authState.user?.role)) {
      return child;
    }
    return forbiddenWidget ??
        const Scaffold(
          body: Center(child: Text('Access Denied')),
        );
  }
}

// Usage in GoRouter:
GoRoute(
  path: '/admin',
  builder: (context, state) => RoleGuard(
    allowedRoles: ['admin'],
    child: AdminPage(),
  ),
);

Best Practices

Use a single source of truth – Auth state should be managed in a single BLoC (or multiple if needed) and accessed via providers.
Redirect early – In GoRouter, the redirect function runs before building any route, preventing flicker.
Avoid side effects in builders – Use BlocListener or addPostFrameCallback for navigation to avoid calling during build.
Test guards – Verify that unauthenticated users cannot access protected routes in widget tests.
Combine with hydrated_bloc – Persist auth state across app restarts to maintain login.
Show loading states – While checking auth, display a splash screen to prevent UI jumps.

Common Mistakes

❌ Calling Navigator.push inside a build method – This will run multiple times, causing navigation loops. Use BlocListener or a post-frame callback.
❌ Not handling unknown auth state – App may try to navigate before auth state is resolved, causing redirect loops.
❌ Hardcoding routes in the BLoC – BLoC should not know about navigation; keep navigation logic in the UI layer.
❌ Forgetting to dispose of subscriptions – If using a stream to listen to auth changes, ensure it's closed.
❌ Not testing guard behavior – Always write tests to ensure protected routes redirect correctly.

BLoC Navigation Guards: Protect Routes with Authentication & Authorization

BLoC Navigation Guards: Protect Routes with Authentication & Authorization

What are Navigation Guards?

Why Use BLoC for Navigation Guards?

Setup: Authentication BLoC

Navigation Guard with BlocListener (Imperative)

Protecting Individual Routes

Integration with GoRouter (Declarative Navigation)

Role-Based Guards (Authorization)

Best Practices

Common Mistakes

Conclusion

Try it yourself

Test Your Knowledge

Frequently Asked Questions

Need help?

BLoC Navigation Guards: Protect Routes with Authentication & Authorization

BLoC Navigation Guards: Protect Routes with Authentication & Authorization

What are Navigation Guards?

Why Use BLoC for Navigation Guards?

Setup: Authentication BLoC

Navigation Guard with BlocListener (Imperative)

Protecting Individual Routes

Integration with GoRouter (Declarative Navigation)

Role-Based Guards (Authorization)

Best Practices

Common Mistakes

Conclusion

Try it yourself

Test Your Knowledge

Frequently Asked Questions

Need help?