TRPC Server Side verification of action.

I have a button that can only be pressed once a day (as a vote). I've made it so the button turns to disabled when a vote has already been processed, or a click for the day. I've read previously never trust the client, so are there any additional steps/best practices I should take in order to stop abuse? My mind leads towards doing a check query whenever a button press is handled, but unsure.
vote: protectedProcedure
.input(
z.object({
server_id: z.string(),
})
)
.mutation(({ ctx, input }) => {
// Promise all means it perfroms both actions. Previously only the .update happened.
return Promise.all([
ctx.prisma.votes.create({
data: {
server_id: input.server_id,
user_id: ctx.session.id,
},
}),
ctx.prisma.server.update({
where: {
id: input.server_id,
},
data: {
votes: {
increment: 1,
},
},
}),
]);
}),
vote: protectedProcedure
.input(
z.object({
server_id: z.string(),
})
)
.mutation(({ ctx, input }) => {
// Promise all means it perfroms both actions. Previously only the .update happened.
return Promise.all([
ctx.prisma.votes.create({
data: {
server_id: input.server_id,
user_id: ctx.session.id,
},
}),
ctx.prisma.server.update({
where: {
id: input.server_id,
},
data: {
votes: {
increment: 1,
},
},
}),
]);
}),
3 Replies
Christian Lind
Great question, looking forward to seeing a good answer to this one! But i'm assuming its not more difficult than simply checking with a simple "if pressed_today return error, else (insert logic)" into the trpc function
Debaucus
DebaucusOP2y ago
Probably? Is that still trusting the client too much though? If someone found the trigger it would still be repeatable.
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
Want results from more Discord servers?
Add your server