how to check authorization using server actions
Answered
French Angora posted this in #help-forum
French AngoraOP
Let's imagine I have a form that adds a message for a given user.
I would create a form with a server action and either add a hidden field linking to the userId or bind it to the action. How can I validate that the user hasn't tampered with that field? As far as I can tell I cannot make certain that the user hasn't changed it themselves to a different id, can't I?
The only idea I have would come down to either encrypting the data using a synchronous key or to generate a JWT token using the data.
I would create a form with a server action and either add a hidden field linking to the userId or bind it to the action. How can I validate that the user hasn't tampered with that field? As far as I can tell I cannot make certain that the user hasn't changed it themselves to a different id, can't I?
The only idea I have would come down to either encrypting the data using a synchronous key or to generate a JWT token using the data.
Answered by Sun bear
In general you should authenticate the user serverside otherwise its not safe.
In your serveraction you should have something like
I like nextauth but of course you can handle it whatever you like it
In your serveraction you should have something like
//...
const user = await auth()
//...I like nextauth but of course you can handle it whatever you like it
2 Replies
Sun bear
In general you should authenticate the user serverside otherwise its not safe.
In your serveraction you should have something like
I like nextauth but of course you can handle it whatever you like it
In your serveraction you should have something like
//...
const user = await auth()
//...I like nextauth but of course you can handle it whatever you like it
Answer
French AngoraOP
Oh right, I had a knot in my head. I was thinking of passing the userId directly, that makes little sense as I would need to pass and validate whether the session is valid. My bad.