Having role on session, is this security issue and/or is there better way?
Hey quick question on t3 (more security and sessions) if i have this role property on the user and want to check it, everytime a call is made. Is it find to store it on the ctx.session.user object or is there a better way?
This role will obviously determine what privileges the user has and whether certain checks needs to be skip in case of the user is an admin etc.
Basically what i want to achieve is that when an admin checks a partners org it should skip the
checkUserOwnsOrganization
check
Code:
schema.prisma:
File: [...nextauth].ts
router > organization.ts
19 Replies
I've never used nextauth but the trpc context(ctx) is meant for that type of thing. I'm pretty sure they even detail roles auth using ctx in the trpc docs.
It's all good as long as it all stays on the server and can't be messed with.
ahh so i should be able to achieve this without next auth part? @MonobrainChris
I use a different solution but I'm assuming next auth returns a user object from the db. so thats fine to use for auth. Not sure of Next auth implementation but it's all kinda the same. Get user object from DB based on successful login. nextauth will store a cookie or something to keep the user logged in.
NextAuth appears quite opinionated I would read the docs thoroughly to get a good understanding
Ahh okay i'll do that. I was checking and wondering also this could theoretically be achieved like this right?
obviously a db check will be needed i assume, but i guess in this case it will always fetch the latest role from the user while the prior one will use the value at sign in?
if protectedProcedure is imported into your routes then yeah it checks if no session or user
publicProcedure can be used for the login procedures
yea but i mean the extension i made to protectedProcedure should attach the role to the session right and will be more up to date then the previous example where that value is just fetched at log in?
role on session doesn't really make sense just conceptually from what a session is
The role should be in session alreasy
if the user object is in it
oh yea on the user object its fine
but if you need this role on pretty much every procedure, id recommend using the next-auth session callback instead of trpc middleware
Callbacks | NextAuth.js
Callbacks are asynchronous functions you can use to control what happens when an action is performed.
ahh like the first example I gave? @cje . Yea that makes sense @MonobrainChris thanks!
Just to be clear. When you auth it grabs the user object if that includes the role you can just use that inside session to do more fine grained auth.
I'm assuming when you auth the whole user including role gets put in session?
yea, but from my exmaple i am only placing the user id and role on the session.
but i assume you talking about this above
which should place the whole user object into session
Oh yeah i saw that earlier sorry. I personally pass the user object all over the place in client using an auth context component.
as long as password is gone and auth is good you can pass it about
It's the user details after all
yea i was just scared that a user could change the role client side and access different things but i assume since this is using sessions on the server its fine?
from what i understand is when user logs in the user properties are added to the session and then stored on the backend
i assume if it was JWT it would be otherwise
not sure with how it works under hood honestly. They use stateless cookies save the session data and refer back to it for auth when needed.
when you log out you probably call a function that deletes the cookie
session data is often user data in this context
at least that is how iron-session does it I think nextauth is the same but with more functionality.
Ahh okay thanks for the help! I appreciate it. WIll do some more reading.
Hi @MartinB I'm struggling with same issue how do you fixed it ? if you fixed
I got it working just havent worked on the project in a while so forgot a bit but busy taking a look
Found this in the callbacks section in the nextAuth
User modal
just note you need to logout and back in after assigning a role to a user via prisma studio or api to make the changes reflect