TTC
Theo's Typesafe Cult3mo ago
james162861

Express-Like Auth Middleware Pattern For Server Actions?

Since all server actions should be authenticated, I have sprinkled clerk's auth() function at the top of every single action's function body. This seems silly. I liked how Express allows you to apply an auth middleware to collections of routes. For instance: 
const authMiddleware = (req, res, next) => {
  const authToken = req.headers['authorization'];
  
  if (!authToken) {
    return res.status(401).json({ error: 'No authorization token provided' });
  }

  const user = users.find(u => u.token === authToken);
  
  if (!user) {
    return res.status(401).json({ error: 'Invalid authorization token' });
  }

  // Attach the user to the request object for use in the route handler
  req.user = user;
  next();
};

// Protected route
app.get('/protected', authMiddleware, (req, res) => {
  res.send('<h1>Protected Data</h1>');
});
const authMiddleware = (req, res, next) => {
  const authToken = req.headers['authorization'];
  
  if (!authToken) {
    return res.status(401).json({ error: 'No authorization token provided' });
  }

  const user = users.find(u => u.token === authToken);
  
  if (!user) {
    return res.status(401).json({ error: 'Invalid authorization token' });
  }

  // Attach the user to the request object for use in the route handler
  req.user = user;
  next();
};

// Protected route
app.get('/protected', authMiddleware, (req, res) => {
  res.send('<h1>Protected Data</h1>');
});
One possible solution is to extract the auth into a wrapper function and wrap each server action with it. Still a alot of repetition. Another solution could be to export the protected server actions to an index file and wrap that the withAuth wrapper function. Are there any other patters? I love server actions, but am missing traditional auth middleware.
6 Replies
Ahmed Senousy
Ahmed Senousy3mo ago
you can use a library like zsa for a trpc like experience https://zsa.vercel.app/docs/procedures check this out. the first example is exactly the pattern u want
james162861
james1628613mo ago
@Ahmed Senousy Thank you! This is basically tRPC without the crazy set up.
Ahmed Senousy
Ahmed Senousy3mo ago
yesss I fell in love once I saw it 😂❤️
james162861
james1628612mo ago
@Ahmed Senousy I've been doing some research and another option is adding policies if you are using Postgres. For instance, you can enforce that the user is editing a post that it owns. I guess its up to the developer about whether the check should be at the api level or the DB level
Ahmed Senousy
Ahmed Senousy2mo ago
I'm not a big fan of row level security but yes it can be done using that too ig I like to keep my auth logic in my service layer (backend) and keep my db for only r/w
james162861
james1628612mo ago
yea, its definitely easier to debug if the logic is in the action, but you are making an extra query to the database each time the user modifies data
Want results from more Discord servers?
Add your server