is this safe way to check user type ?

Answered

Japanese common catfish posted this in #help-forum

Japanese common catfishOP

2024-06-06T08:48:47.130Z

is this safe way to check user type ?
and render something for admin only ?

import auth from '@/helper/auth'
import { getServerSession } from 'next-auth'
import { redirect } from 'next/navigation'

// admin/dashboard
const DashboardAdmin = async () => {
    const session = await getServerSession(auth)

    if (session.user.type !== "admin") {
        redirect("/")
        return
    }

  await connectDB();

// do something

Answered by B33fb0n3

they can't change it, yea. That's because the jwt is signed and maybe encrypted. Only one with the server secret can change it. The client does not have the server secret, so you are save

View full answer

5 Replies

@Japanese common catfish is this safe way to check user type ? and render something for admin only ? ts import auth from '@/helper/auth' import { getServerSession } from 'next-auth' import { redirect } from 'next/navigation' // admin/dashboard const DashboardAdmin = async () => { const session = await getServerSession(auth) if (session.user.type !== "admin") { redirect("/") return } await connectDB(); // do something

B33fb0n3

2024-06-06T09:27:41.010Z

looks good for me 👍

@B33fb0n3 looks good for me 👍

Japanese common catfishOP

2024-06-06T09:28:45.356Z

so a bad actor can't change user.type ?

@Japanese common catfish so a bad actor can't change user.type ?

B33fb0n3

2024-06-06T09:32:12.252Z

they can't change it, yea. That's because the jwt is signed and maybe encrypted. Only one with the server secret can change it. The client does not have the server secret, so you are save

Answer

Japanese common catfishOP

2024-06-06T09:32:44.450Z

thank you i am new to auth thing
i am learing this

B33fb0n3

2024-06-06T10:47:35.425Z

sure thing