The `protectedProcedure` doesn't seem protected?
It seems that all the function does, is check whether we've sent a username.
I have enabled "strategy: "jwt" in next-auth, so my understanding is that NextJS encrypts the token it's received from auth provider, and now uses this to determine whether we're logged in etc. In terms of making authenticated requests, should we not be doing something like decrypting the
I have enabled "strategy: "jwt" in next-auth, so my understanding is that NextJS encrypts the token it's received from auth provider, and now uses this to determine whether we're logged in etc. In terms of making authenticated requests, should we not be doing something like decrypting the
access_token in the protectedProcedure handler, and getting the user / scope from that, and then assume the user is actually who they say they are (rather than trusting the client who could send any username)2 Replies
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
Ah right, yes apologies I somehow missed the
createContext which resolves the session via the unstable_getServerSession thanks!