4 replies

TRPC Server Side verification of action.

I have a button that can only be pressed once a day (as a vote). I've made it so the button turns to

disabled

disabled

when a vote has already been processed, or a click for the day.

I've read previously never trust the client, so are there any additional steps/best practices I should take in order to stop abuse?

My mind leads towards doing a check query whenever a button press is handled, but unsure.

  vote: protectedProcedure
    .input(
      z.object({
        server_id: z.string(),
      })
    )
    .mutation(({ ctx, input }) => {
      // Promise all means it perfroms both actions. Previously only the .update happened.
      return Promise.all([
        ctx.prisma.votes.create({
          data: {
            server_id: input.server_id,
            user_id: ctx.session.id,
          },
        }),
        ctx.prisma.server.update({
          where: {
            id: input.server_id,
          },
          data: {
            votes: {
              increment: 1,
            },
          },
        }),
      ]);
    }),

  vote: protectedProcedure
    .input(
      z.object({
        server_id: z.string(),
      })
    )
    .mutation(({ ctx, input }) => {
      // Promise all means it perfroms both actions. Previously only the .update happened.
      return Promise.all([
        ctx.prisma.votes.create({
          data: {
            server_id: input.server_id,
            user_id: ctx.session.id,
          },
        }),
        ctx.prisma.server.update({
          where: {
            id: input.server_id,
          },
          data: {
            votes: {
              increment: 1,
            },
          },
        }),
      ]);
    }),

TTC

Theo's Typesafe Cult•4y ago•

4 replies

Debaucus

TRPC Server Side verification of action.

I have a button that can only be pressed once a day (as a vote). I've made it so the button turns to

disabled

disabled

  vote: protectedProcedure
    .input(
      z.object({
        server_id: z.string(),
      })
    )
    .mutation(({ ctx, input }) => {
      // Promise all means it perfroms both actions. Previously only the .update happened.
      return Promise.all([
        ctx.prisma.votes.create({
          data: {
            server_id: input.server_id,
            user_id: ctx.session.id,
          },
        }),
        ctx.prisma.server.update({
          where: {
            id: input.server_id,
          },
          data: {
            votes: {
              increment: 1,
            },
          },
        }),
      ]);
    }),

  vote: protectedProcedure
    .input(
      z.object({
        server_id: z.string(),
      })
    )
    .mutation(({ ctx, input }) => {
      // Promise all means it perfroms both actions. Previously only the .update happened.
      return Promise.all([
        ctx.prisma.votes.create({
          data: {
            server_id: input.server_id,
            user_id: ctx.session.id,
          },
        }),
        ctx.prisma.server.update({
          where: {
            id: input.server_id,
          },
          data: {
            votes: {
              increment: 1,
            },
          },
        }),
      ]);
    }),

TRPC Server Side verification of action.

Similar Threads

TRPC Server Side verification of action.

Similar Threads

Similar Threads

Similar Threads