mbuxmann
mbuxmann
PostsComments
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
just note you need to logout and back in after assigning a role to a user via prisma studio or api to make the changes reflect
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
Found this in the callbacks section in the nextAuth 
  callbacks: {
    session({ session, user }) {
      if (session.user) {
        session.user.id = user.id;
        session.user.role = user.role;
      }
      return session;
    },
  },
  callbacks: {
    session({ session, user }) {
      if (session.user) {
        session.user.id = user.id;
        session.user.role = user.role;
      }
      return session;
    },
  },
User modal 
model User {
  id                 String         @id @default(cuid())
  name               String?
  email              String?        @unique
  emailVerified      DateTime?
  image              String?
  role               Role           @default(USER)
  opted              Boolean        @default(false)
  accounts           Account[]
  sessions           Session[]
  ethWallets         EthWallet[]
  organizations      Organization[]
  ownedOrganizations Organization[] @relation("OrganizationOwner")
}
model User {
  id                 String         @id @default(cuid())
  name               String?
  email              String?        @unique
  emailVerified      DateTime?
  image              String?
  role               Role           @default(USER)
  opted              Boolean        @default(false)
  accounts           Account[]
  sessions           Session[]
  ethWallets         EthWallet[]
  organizations      Organization[]
  ownedOrganizations Organization[] @relation("OrganizationOwner")
}
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
I got it working just havent worked on the project in a while so forgot a bit but busy taking a look
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
Ahh okay thanks for the help! I appreciate it. WIll do some more reading.
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
i assume if it was JWT it would be otherwise
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
from what i understand is when user logs in the user properties are added to the session and then stored on the backend
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
yea i was just scared that a user could change the role client side and access different things but i assume since this is using sessions on the server its fine?
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
export interface DefaultSession {
    user?: {
        name?: string | null;
        email?: string | null;
        image?: string | null;
    };
    expires: ISODateString;
}
export interface DefaultSession {
    user?: {
        name?: string | null;
        email?: string | null;
        image?: string | null;
    };
    expires: ISODateString;
}
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
import { DefaultSession } from "next-auth";

declare module "next-auth" {
  /**
   * Returned by `useSession`, `getSession` and received as a prop on the `SessionProvider` React Context
   */
  interface Session {
    user?: {
      id: string;
      role: Prisma.Role;
    } & DefaultSession["user"];
  }
}
import { DefaultSession } from "next-auth";

declare module "next-auth" {
  /**
   * Returned by `useSession`, `getSession` and received as a prop on the `SessionProvider` React Context
   */
  interface Session {
    user?: {
      id: string;
      role: Prisma.Role;
    } & DefaultSession["user"];
  }
}
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
yea, but from my exmaple i am only placing the user id and role on the session. 
  callbacks: {
    session({ session, user }) {
      if (session.user) {
        session.user.id = user.id;
        session.user.role = user.role;
      }
      return session;
    },
  },
  callbacks: {
    session({ session, user }) {
      if (session.user) {
        session.user.id = user.id;
        session.user.role = user.role;
      }
      return session;
    },
  },
but i assume you talking about this above 
  callbacks: {
    session({ session, user }) {
      if (session.user) {
        session.user = user
      }
      return session;
    },
  },
  callbacks: {
    session({ session, user }) {
      if (session.user) {
        session.user = user
      }
      return session;
    },
  },
which should place the whole user object into session
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
ahh like the first example I gave? @cje . Yea that makes sense @MonobrainChris thanks!
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
yea but i mean the extension i made to protectedProcedure should attach the role to the session right and will be more up to date then the previous example where that value is just fetched at log in?
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
obviously a db check will be needed i assume, but i guess in this case it will always fetch the latest role from the user while the prior one will use the value at sign in?
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
Ahh okay i'll do that. I was checking and wondering also this could theoretically be achieved like this right? 
import { initTRPC, TRPCError } from "@trpc/server";
import type { Context } from "./context";
import superjson from "superjson";

const t = initTRPC.context<Context>().create({
  transformer: superjson,
  errorFormatter({ shape }) {
    return shape;
  },
});

export const router = t.router;

/**
 * Unprotected procedure
 **/
export const publicProcedure = t.procedure;

/**
 * Reusable middleware to ensure
 * users are logged in
 */
const isAuthed = t.middleware(({ ctx, next }) => {
  if (!ctx.session || !ctx.session.user) {
    throw new TRPCError({ code: "UNAUTHORIZED" });
  }

  const userRole = getUserRole(ctx.session.user.id)//get role from db

  return next({
    ctx: {
      // infers the `session` as non-nullable
      session: {
        ...ctx.session, user: { ...ctx.session.user, role: userRole },
      },
    },
  });
});

/**
 * Protected procedure
 **/
export const protectedProcedure = t.procedure.use(isAuthed);
import { initTRPC, TRPCError } from "@trpc/server";
import type { Context } from "./context";
import superjson from "superjson";

const t = initTRPC.context<Context>().create({
  transformer: superjson,
  errorFormatter({ shape }) {
    return shape;
  },
});

export const router = t.router;

/**
 * Unprotected procedure
 **/
export const publicProcedure = t.procedure;

/**
 * Reusable middleware to ensure
 * users are logged in
 */
const isAuthed = t.middleware(({ ctx, next }) => {
  if (!ctx.session || !ctx.session.user) {
    throw new TRPCError({ code: "UNAUTHORIZED" });
  }

  const userRole = getUserRole(ctx.session.user.id)//get role from db

  return next({
    ctx: {
      // infers the `session` as non-nullable
      session: {
        ...ctx.session, user: { ...ctx.session.user, role: userRole },
      },
    },
  });
});

/**
 * Protected procedure
 **/
export const protectedProcedure = t.procedure.use(isAuthed);
38 replies
TTCTheo's Typesafe Cult
Created by mbuxmann on 4/22/2023 in #questions
Having role on session, is this security issue and/or is there better way?
ahh so i should be able to achieve this without next auth part? @MonobrainChris
38 replies