Should I be worried about rate limiting in NextAuth.js
Unanswered
Txie posted this in #help-forum
TxieOP
I'm trying to determine if I should be worried about rate limiting in my auth.js file which holds my config for nextauth. My jwt callback does connect to a database but it's for determining if the user signing in is a verified client or admin. If neither it just doesn't add any role to the token which doesn't give them access to the client panel or admin panel.
5 Replies
determining if the user signing in is a verified client or admin can still be done outside of the jwt callback. I dont think its right to rate limit role checks though.
TxieOP
Just to explain our client authorization process involves several key steps to securely add users to our database:
1. License Key Generation: An admin generates a unique license key for a new user. This key is associated with a special, non-public URL that directs the user to an account setup page.
2. Account Setup: Through this URL, the user can create an account. We offer OAuth as one of the login methods to streamline this process.
3. OAuth and Custom JWT Callback: For users choosing OAuth, we capture and process their login details using "next-auth/jwt". During the JWT callback phase, we store a custom value named provider. This allows us to record the user's chosen OAuth provider and their email address.
4. Database Entry: Once the account setup is complete, the user's details, including their provider type and email, are stored in our clients' database.
This approach, while unique, has proven effective for our needs. It ensures that only users with a valid license key can set up an account, providing an additional layer of security and control over who can access our services.
1. License Key Generation: An admin generates a unique license key for a new user. This key is associated with a special, non-public URL that directs the user to an account setup page.
2. Account Setup: Through this URL, the user can create an account. We offer OAuth as one of the login methods to streamline this process.
3. OAuth and Custom JWT Callback: For users choosing OAuth, we capture and process their login details using "next-auth/jwt". During the JWT callback phase, we store a custom value named provider. This allows us to record the user's chosen OAuth provider and their email address.
4. Database Entry: Once the account setup is complete, the user's details, including their provider type and email, are stored in our clients' database.
This approach, while unique, has proven effective for our needs. It ensures that only users with a valid license key can set up an account, providing an additional layer of security and control over who can access our services.
@Txie Are you referring the signin callback?
no, like in a custom function
export const getUserRole = cache(async () => {
const session = await getUserSession(authOptions)
const user = await db.user.findUnique(session.id)
return user.role
})