Getting userId in server function
Hello,
First of all, thank you for this amazing framework! I’m getting more and more hooked on it every day.
I’ve been using Clerk for authentication and exploring how it integrates with Tanstack Start.
Currently, I’m protecting my server functions with an authentication middleware like this:
Then, I apply the middleware to my server function to protect access:
Inside the server function handler, I need to access the userId. I can retrieve it with the Clerk backend library like this:
Alternatively, I could return it through the middleware context:
However the “context” approach feels a bit insecure to me.
I’m not entirely sure how the context works under the hood, but I’m concerned that an authenticated user might somehow manipulate the userId and create records on behalf of someone else.
Could someone clarify whether this concern is valid or if the context is safe in this case?
Thanks!
First of all, thank you for this amazing framework! I’m getting more and more hooked on it every day.
I’ve been using Clerk for authentication and exploring how it integrates with Tanstack Start.
Currently, I’m protecting my server functions with an authentication middleware like this:
Then, I apply the middleware to my server function to protect access:
Inside the server function handler, I need to access the userId. I can retrieve it with the Clerk backend library like this:
Alternatively, I could return it through the middleware context:
However the “context” approach feels a bit insecure to me.
I’m not entirely sure how the context works under the hood, but I’m concerned that an authenticated user might somehow manipulate the userId and create records on behalf of someone else.
Could someone clarify whether this concern is valid or if the context is safe in this case?
Thanks!
