tRPCttRPC
Powered by
.jsonp.
tRPCβ€’8mo agoβ€’
5 replies
.jsonp

Where should authorization/permissions checks happen?

Hey there πŸ‘‹ What is generally the preferred place to perform permissions checks? Using meta, within a procedure method, within the definition of the procedure via middleware, or something else?

I initially opted for performing checks within defined procedure methods, but this results in quite a bit of code duplication, so I figure using meta could be better (it does feel intuitive). Yet, this somehow feels non-standard. I haven't seen this before... in an ideal world this permissions object could be passed into a procedure as an arg alongside the handler/method as a kind of augmentation.

Currently, I am exploring the use of meta to do this:

create: authedProcedure
  .input(exampleRepo.create.inputSchema.omit({ submittedById: true }))
  .meta({
    authorize: {
      permissions: {
        exampleResource: ["create"],
      },
    },
  })
  .mutation(async ({ ctx, input }) => {
    return await exampleRepo.create.handler({
      // values
    });
  })
create: authedProcedure
  .input(exampleRepo.create.inputSchema.omit({ submittedById: true }))
  .meta({
    authorize: {
      permissions: {
        exampleResource: ["create"],
      },
    },
  })
  .mutation(async ({ ctx, input }) => {
    return await exampleRepo.create.handler({
      // values
    });
  })
tRPCJoin
Move Fast & Break Nothing. End-to-end typesafe APIs made easy.
5,015Members
Resources
Recent Announcements

Similar Threads

Was this page helpful?

Similar Threads

typesafe permissions
isitayushIisitayush / ❓-help
3y ago
Validating Permissions
RhysRRhys / ❓-help
4y ago
Disable explicit content-type checks
SystemicSSystemic / ❓-help
14mo ago