You can set up the middleware to run before the protected page(or any other pages you want) is loaded so at that point you can check user authentication redirect them wherever you want if they arent authenticated. so even if they type it out they wont access it.