AuthUser must be nullable

Dsek-LTH / web

The D-guild's primary web page

https://dsek-lth.github.io/web/

European Union Public License 1.2

21 stars 8 forks source link

AuthUser must be nullable #389

Open danieladugyan opened 3 months ago

danieladugyan commented 3 months ago

Our ZenStack login checks are implemented as auth() != null. This obviously won't work if we create User objects for logged out users.

event.locals.prisma = enhance(prisma, {
  user: {
    studentId: undefined,
    memberId: undefined,
    policies,
    externalCode: externalCode, // For anonymous users
  },
});

Proposed solution: Don't create User objects for logged out users. Handle externalCode as a separate field outside the User object. i.e as a session id.

Macludde commented 3 months ago

Completely valid.

Macludde commented 3 months ago

This doesn't really work. auth() != null can't be used even if we remove externalCode as an anonymous user will still have a user object. This is because some policies will have the role "*", and thus they do need a user object which will contain their policies.

Perhaps we should not check for auth() != null but instead use access policies like everywhere else?

I do agree that externalCode could be changed to sessionId however