.jsonp.
tRPCβ€’7mo agoβ€’
5 replies
.jsonp

Where should authorization/permissions checks happen?

Hey there πŸ‘‹ What is generally the preferred place to perform permissions checks? Using meta, within a procedure method, within the definition of the procedure via middleware, or something else?

I initially opted for performing checks within defined procedure methods, but this results in quite a bit of code duplication, so I figure using meta could be better (it does feel intuitive). Yet, this somehow feels non-standard. I haven't seen this before... in an ideal world this permissions object could be passed into a procedure as an arg alongside the handler/method as a kind of augmentation.

Currently, I am exploring the use of meta to do this:

create: authedProcedure
  .input(exampleRepo.create.inputSchema.omit({ submittedById: true }))
  .meta({
    authorize: {
      permissions: {
        exampleResource: ["create"],
      },
    },
  })
  .mutation(async ({ ctx, input }) => {
    return await exampleRepo.create.handler({
      // values
    });
  })
Was this page helpful?