Json 🧈
Json πŸ§ˆβ€’2mo ago

Where should authorization/permissions checks happen?

Hey there πŸ‘‹ What is generally the preferred place to perform permissions checks? Using meta, within a procedure method, within the definition of the procedure via middleware, or something else? I initially opted for performing checks within defined procedure methods, but this results in quite a bit of code duplication, so I figure using meta could be better (it does feel intuitive). Yet, this somehow feels non-standard. I haven't seen this before... in an ideal world this permissions object could be passed into a procedure as an arg alongside the handler/method as a kind of augmentation. Currently, I am exploring the use of meta to do this:
create: authedProcedure
.input(exampleRepo.create.inputSchema.omit({ submittedById: true }))
.meta({
authorize: {
permissions: {
exampleResource: ["create"],
},
},
})
.mutation(async ({ ctx, input }) => {
return await exampleRepo.create.handler({
// values
});
})
create: authedProcedure
.input(exampleRepo.create.inputSchema.omit({ submittedById: true }))
.meta({
authorize: {
permissions: {
exampleResource: ["create"],
},
},
})
.mutation(async ({ ctx, input }) => {
return await exampleRepo.create.handler({
// values
});
})
4 Replies
Json 🧈
Json 🧈OPβ€’2mo ago
One alternative that I've considered is to define a produce as a function of a permissions config. This is very elegant, but also I have not seen this before.
create: authorizedProcedure({ permissions: { exampleResource: ["create"] } })
.input(exampleRepo.create.inputSchema.omit({ submittedById: true }))
.mutation(async ({ ctx, input }) => {
// Authorization already handled
return await exampleRepo.create.handler({...});
}),
create: authorizedProcedure({ permissions: { exampleResource: ["create"] } })
.input(exampleRepo.create.inputSchema.omit({ submittedById: true }))
.mutation(async ({ ctx, input }) => {
// Authorization already handled
return await exampleRepo.create.handler({...});
}),
Nick
Nickβ€’2mo ago
The use of meta to configure a middleware in the base procedure is how I do it too and it’s very pleasant to use. Definitely recommend that approach
Json 🧈
Json 🧈OPβ€’2mo ago
Great, thanks! Curious, you do apply the middleware to the base procedure and not an authenticated procedure?
Nick
Nickβ€’2mo ago
Up to you, my middleware can be entirely turned off by meta so I use it globally

Did you find this page helpful?