chore(backend,nextjs,types): Prevent system permissions usage in server-side #4816
Conversation
🦋 Changeset detectedLatest commit: afad6c9 The changes in this PR will be included in the next version bump. This PR includes changesets to release 23 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
LauraBeatris
force-pushed
the
laura/orgs-441-do-not-allow-passing-system-permissions-to-has-from-the
branch
from
4b60ed7 to
44bb684
Compare
LauraBeatris
changed the title
LauraBeatris
force-pushed
the
laura/orgs-441-do-not-allow-passing-system-permissions-to-has-from-the
branch
from
65a25ba to
ca63d27
Compare
| it('prevents usage of system permissions with auth.has()', () => { | ||
| clerkMiddlewareMock(async (auth, _event, _request) => { | ||
| // @ts-expect-error - system permissions are not allowed | ||
| (await auth()).has({ permission: 'org:sys_foo' }); | ||
| }); | ||
| }); | ||
|
|
There was a problem hiding this comment.
do you think we should add a test case for useAuth() where the type says that sys permissions are allowed ?
In order to not break something in the future
| type DisallowSystemPermissions<P extends string> = P extends `${OrganizationSystemPermissionPrefix}${string}` | ||
| ? 'System permissions are not included in session claims and cannot be used on the server-side' | ||
| : P; |
LauraBeatris
force-pushed
the
laura/orgs-441-do-not-allow-passing-system-permissions-to-has-from-the
branch
from
ca63d27 to
2f87d65
Compare
|
This is great initiative. I opened another PR pointing to this one that also addresses usage with I noticed that type checking does not work currently in our unit tests, so I would avoid merging this PR until that is resolved. |
LauraBeatris
changed the title
|
🙃 Avoid merging until this is merged |
|
I am curious what our stance is on these type-only (build-time) checks when it comes to users that don't use Typescript is their projects? Is there a downside to also have a run-time check/warning? |
|
In this case it's mostly improved DX. You don't really care about DX if you are using JS in my opinion. But if you feel strongly a warning makes sense more than an error here. Since the utility will simply return false or redirect you. |
|
Also worth mentioning that this requirement might change in the future, when we deal with the wider problem of session claims bloating the browser cookie size Most developers might not even notice the console warning when running on the server-side, although I see the point that they won't get the DX benefits of type-checks when using JavaScript only |
LauraBeatris
deleted the
laura/orgs-441-do-not-allow-passing-system-permissions-to-has-from-the
branch
…er-side (#4816) Co-authored-by: panteliselef <panteliselef@outlook.com>
…er-side (#4816) Co-authored-by: panteliselef <panteliselef@outlook.com>
Description
Resolves ORGS-441
Context
System permissions (e.g.,
org:sys_domains:manage) are intentionally excluded from session claims to maintain reasonable JWT sizes. While these permissions work in client-side authorization checks (where they're validated against FAPI organization memberships), they cannot be verified server-side.Problem
Despite documentation updates, developers continue to use server-side authorization checks with system permissions, leading to confusion and support tickets.
Solution
Add type-level validation to catch misuse of system permissions during development. I've opted not to introduce a runtime warning since developers might ignore it.
Checklist
pnpm testruns as expected.pnpm buildruns as expected.Type of change