How are people handling authorization?
I noticed that with V10, any mentions of
trpc-shield are gone from the documentation. Also, it only has 200 stars on GH, which is not that much when compared to tRPC itself. So I would be interested in how you're are handling authorization when using tRPC?8 Replies
Home-rolled tRPC middleware
It’s only around 20-30 lines of code because you probably have some verifier library for whatever auth method you’re using, so you just grab the header and verify it, then attach the middleware to a baseProcedure and use it
Throw a TRPCError with appropriate code on failure of course
Hey, thanks for your answer! Can you maybe go into a bit more detail on this? Or do you maybe even have an example?
There’s not much detail to go into. Take a look at the middleware docs for that piece. What are you using for auth?
Right now, I'm using NextAuth
Isn’t that just an an adapter for other providers? Are you using some other provider or something baked into Next?
I haven't settled on providers yet but I'm aiming for a mix of a few in addition to providing mail/password
probably Discord, Github, Google
In addition to mail/password and mayybe magic links
Got it
There may be a way to keep using next auth, I’m aware a lot of people integrate tRPC and next quite tightly but I have no experience with it personally
For social providers I guess you are looking at more of a auth framework. But either way you might not find a mature trpc integration just yet and be best to use the lower level APIs to implement it
I’ve used tools like Azure b2c and Okta which often do have social auth support too, and they’ll give you just a simple verifier library like I mentioned originally
If you’ve just started on your app, maybe consider using create-t3-app to generate you project. It sets up next auth for you