nextjs-supabase-instagram-clone icon indicating copy to clipboard operation
nextjs-supabase-instagram-clone copied to clipboard
verified publisher icon thomas-coldwell

simplify `feed.all`-resolver

Open KATT opened this issue 4 years ago • 4 comments

Secondly, I think the supabase user should be propagated in the context so we don't even need to pass in a userId. Right now any user can get any other user's feed.

KATT avatar Sep 26 '21 09:09 KATT

Someone is attempting to deploy a commit to a Personal Account owned by @thomas-coldwell on Vercel.

@thomas-coldwell first needs to authorize it.

vercel[bot] avatar Sep 26 '21 09:09 vercel[bot]

Good point - I've got it sending it's JWT over now and decoding using supabase.auth.api.getUser() in the createContext function. Setting up some middleware to check the user in the ctx is not null - using this a a guide https://trpc.io/docs/middlewares#createprotectedrouter-helper . One issue I did face was that I had to apply the middleware to each sub-router individually rather than the main router as otherwise user would still show up as User | null - let me know if there is a better way to handle this 😀

thomas-coldwell avatar Sep 27 '21 10:09 thomas-coldwell

The approach I'm using right now is that

  • I have a viewerRouter which has all the procedures that are individual to a the logged in user - this subroute has that middleware in the top
  • I use a splitLink to make sure viewer procedures are never done in the same request as the rest
  • Then, I can then safely-edge add cache headers on all requests on that doesn't contain a viewer in the procedures called - like this

KATT avatar Sep 27 '21 11:09 KATT

Does the viewerRouter have sub routers as well then e.g.

viewerRouter()
  .middleware(authorizationFunction)
  .merge("user.", userRouter)
  .merge("feed.", feedRouter);

or are the endpoints added onto the viewerRouter directly:

viewerRouter()
  .middleware(authorizationFunction)
  .query("user.byId", () => {})

In the second case any queries / mutation have access to the validated context where ctx.user is not null (due to the middleware check, but in the first case the sub-routers are not aware of this middleware and therefore ctx.user can be null, even though it won't be as there is auth middleware higher up checking it.

Is there possible something that could be done as part of the merge that would make sub-routers automatically aware of the context if it is altered by middleware?

thomas-coldwell avatar Oct 01 '21 11:10 thomas-coldwell