TTC
Theo's Typesafe Cult14mo ago
Jazon

Is it safe to get all data based on a route query parameter?

I have a dynamic route which renders a single Project-page. The page itself is being rendered based on the id of the route-query. Like this: 
const router = useRouter();

const todoQuery = api.project.getById.useQuery(router.query.id as string);
const { data: project } = todoQuery;
const router = useRouter();

const todoQuery = api.project.getById.useQuery(router.query.id as string);
const { data: project } = todoQuery;
Inside this page I am also fetching (and mutate) all the categories that belongs to this project. I am doing this by looking at what projectId the route-query has. Like this: 
const { data: categories, refetch: refetchCategories } = api.category.getAll.useQuery(
    {
      projectId: project?.id as string
    },
  )
const { data: categories, refetch: refetchCategories } = api.category.getAll.useQuery(
    {
      projectId: project?.id as string
    },
  )
I feel like this is kinda unsafe though. Wouldn't another user just be able to enter this projectId into their browser, and be able to see all the categories? Should I also check that the author is the current signed in user? I am also seeing an error that projectId is undefined at first render, but the categories is being fetched anyway.
Solution:
yep, you'll wanna make sure that the project belongs to the user too
Jump to solution
4 Replies
Brendonovich
Brendonovich14mo ago
as long as your trpc endpoints don't allow users to load projects/categories that don't belong to them then it's fine
Jazon
Jazon14mo ago
@Brendonovich The getAll-procedure looks like this 
getAll: protectedProcedure.input(z.object({ projectId: z.string() })).query(({ ctx, input }) => {
    return ctx.prisma.category.findMany({
      where: {
        projectId: input.projectId
      },
    });
  }),
getAll: protectedProcedure.input(z.object({ projectId: z.string() })).query(({ ctx, input }) => {
    return ctx.prisma.category.findMany({
      where: {
        projectId: input.projectId
      },
    });
  }),
But isn't the protectedProcedure only there to check that the user isn't an unauthenticated user? That the "ctx" in this case is what is being bound to the session and the only one to check if the user really is the current signed in one?
Solution
Brendonovich
Brendonovich14mo ago
yep, you'll wanna make sure that the project belongs to the user too
Jazon
Jazon14mo ago
Alright cool, thanks!
Want results from more Discord servers?
Add your server
More Posts
Is T3 good to build an application for one to one video chat using twilio webrtc go?Requirements: 1. One to one video call with voice and realtime messaging 2. Authentication using oauNext.js and GCP Cloud FunctionsI've been able to deploy a Next.js application to Cloud Run and GKE, but not to Cloud Functions. I'How to store MDIm building a CRM/Task management tool, i want users to be able to write MD descriptions for tasks hWhat do you use for carousels?I have to implement carousel, there is so many libraries. What do you go for usually?Environment variables validation not working with Jest (env.mjs)Hi, did anyone else have problems with `env.mjs` in tests (I use `env.SOME_VAR` in my components)? IWith tRPC, is it safe to validate only on the client?So with REST, we have to validate input on the server since people can bypass client. Is that possib@tanstack/table with editable cells, using react query, cells losing focusHello everyone! As mentioned in the title, I have a table that's rerendering every blur, which causmapping a column in model to another modelI have nextauth with github I want github usernames to be fetched so I can display them alongside cWorkaround SSG HelpersHey all, following Theo's latest tutorial I got to the SSG part and found out the docs aren't workinOffering Custom Domains to Users with T3Hi, As part of my app I want to offer users the ability to add their own domain that will serve cer