karlhorky
commented
3 weeks ago This would be great!
Would be cool to actually start by showing auth at the data layer, eg. a simple version could be a database query function like we have in our example here:
export const getUser = cache(async (sessionToken: string) => {
const [user] = await sql<Pick<User, 'username'>[]>`
SELECT
users.username
FROM
users
INNER JOIN sessions ON (
sessions.token = ${sessionToken}
AND users.id = sessions.user_id
AND expiry_timestamp > now()
)
`;
return user;
});
Hi,
The authentication chapter describes using NextAuth to protect routes using a middleware.
However in currently advocated best practices, middleware authentication checks have to be understood as a first line of defense. They should be completed by authorization checks at the Data Access Layer level.
The only use case where the middleware is enough, is when setting up a paywall against static content, because an authentication check at middleware level doesn't opt into dynamic rendering, contrary to a check during data fetching. Also in the same article I've described the potential footgun of authenticating in layouts: it might be worth explaining in this tutorial maybe, so this mistakes is avoided early on.
In terms of edits, I would simply suggest adding a few lines of text to explain exactly that, that you should also check authorization in the Data Access Layer and avoid checks in layouts.