TTC
Theo's Typesafe Cult2y ago
Jazon

Is it safe to get all data based on a route query parameter?

I have a dynamic route which renders a single Project-page. The page itself is being rendered based on the id of the route-query. Like this: 
const router = useRouter();

const todoQuery = api.project.getById.useQuery(router.query.id as string);
const { data: project } = todoQuery;
const router = useRouter();

const todoQuery = api.project.getById.useQuery(router.query.id as string);
const { data: project } = todoQuery;
Inside this page I am also fetching (and mutate) all the categories that belongs to this project. I am doing this by looking at what projectId the route-query has. Like this: 
const { data: categories, refetch: refetchCategories } = api.category.getAll.useQuery(
    {
      projectId: project?.id as string
    },
  )
const { data: categories, refetch: refetchCategories } = api.category.getAll.useQuery(
    {
      projectId: project?.id as string
    },
  )
I feel like this is kinda unsafe though. Wouldn't another user just be able to enter this projectId into their browser, and be able to see all the categories? Should I also check that the author is the current signed in user? I am also seeing an error that projectId is undefined at first render, but the categories is being fetched anyway.
Solution:
yep, you'll wanna make sure that the project belongs to the user too
Jump to solution
4 Replies
Brendonovich
Brendonovich2y ago
as long as your trpc endpoints don't allow users to load projects/categories that don't belong to them then it's fine
Jazon
JazonOP2y ago
@Brendonovich The getAll-procedure looks like this 
getAll: protectedProcedure.input(z.object({ projectId: z.string() })).query(({ ctx, input }) => {
    return ctx.prisma.category.findMany({
      where: {
        projectId: input.projectId
      },
    });
  }),
getAll: protectedProcedure.input(z.object({ projectId: z.string() })).query(({ ctx, input }) => {
    return ctx.prisma.category.findMany({
      where: {
        projectId: input.projectId
      },
    });
  }),
But isn't the protectedProcedure only there to check that the user isn't an unauthenticated user? That the "ctx" in this case is what is being bound to the session and the only one to check if the user really is the current signed in one?
Solution
Brendonovich
Brendonovich2y ago
yep, you'll wanna make sure that the project belongs to the user too
Jazon
JazonOP2y ago
Alright cool, thanks!
Want results from more Discord servers?
Add your server