Supabase•2w ago

Proper way to the authorize the user in an Inngest function?

Hey there, looking for some help wrapping my head around getting the user session in an Inngest function. I have my project updated to use the newer getClaims method also. In the following code the getClaims data is empty which is expected in this scope. What would be the proper way to get the session validated in this scope to perform CRUD operations on the tables? Inngest function

export default inngest.createFunction(
  { id: 'process' },
  { event: 'process' },
  async ({ event, step }) => {
    const { fileData, fileType } = event.data

    if (!fileData || !fileType) {
      throw new Error('No fileData or fileType provided in event payload')
    }

    const supabase = await createClient()
    const { data: user } = await supabase.auth.getClaims()

    if (!user?.claims) {
      throw new Error('No user claims provided in event payload') <<<<< FAILS (EXPECTED)
    }

    const userId = user.claims.sub

...rest

export default inngest.createFunction(
  { id: 'process' },
  { event: 'process' },
  async ({ event, step }) => {
    const { fileData, fileType } = event.data

    if (!fileData || !fileType) {
      throw new Error('No fileData or fileType provided in event payload')
    }

    const supabase = await createClient()
    const { data: user } = await supabase.auth.getClaims()

    if (!user?.claims) {
      throw new Error('No user claims provided in event payload') <<<<< FAILS (EXPECTED)
    }

    const userId = user.claims.sub

...rest

API route that triggers the Inngest function

export async function POST(req: Request) {
  try {
    const supabase = await createClient()

    const { data, error: authError } = await supabase.auth.getClaims()

    if (authError || !data?.claims) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

    const body = await req.json()
    const { fileData, fileType } = body

    if (!fileData || !fileType) {
      return NextResponse.json({ error: 'fileData and fileType are required' }, { status: 400 })
    }

    await inngest.send({
      name: 'process',
      data: {
        fileData,
        fileType,
      },
    })

    return NextResponse.json({
      success: true,
      message: 'Processing started',
    })
  } catch (error) {
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
}

export async function POST(req: Request) {
  try {
    const supabase = await createClient()

    const { data, error: authError } = await supabase.auth.getClaims()

    if (authError || !data?.claims) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

    const body = await req.json()
    const { fileData, fileType } = body

    if (!fileData || !fileType) {
      return NextResponse.json({ error: 'fileData and fileType are required' }, { status: 400 })
    }

    await inngest.send({
      name: 'process',
      data: {
        fileData,
        fileType,
      },
    })

    return NextResponse.json({
      success: true,
      message: 'Processing started',
    })
  } catch (error) {
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
}

5 Replies

VikramOP•2w ago

Is there a way to get the access token out of this? I could use that to create the client in Inngest

silentworks•7d ago

You would just pass the access token from the API route to the inngest call as a data property.

VikramOP•7d ago

Hey, good morning! Thank you for that info! Quick follow up, is there a way to get that access token from a getClaims call? Tried looking this up in the docs but not a lot of references to getClaims in there

vick•6d ago

The Inngest functions are going to run asynchronously, so you cannot guarantee that the token will still be valid when it runs. Likely it will, but you're relying on luck of timing for correctness, and that's never a good pattern. Best pattern here is to pass the supabase user ID to the Inngest function, and have it run queries as the service account and use the user_id to your where clauses to restrict the access as you need.

VikramOP•4d ago

Sorry for the late reply just saw this. Thanks for that feedback! I'll implement something like that instead

Gaming

Programming

Proper way to the authorize the user in an Inngest function?

Did you find this page helpful?