Is there any docs or open source projects that show how to do authorization ?

[allanpope]

Say I have an app that has an Organization and Project model. I want to only show projects that belong to the users organization. If a user tries to access another organizations projects I want to restrict the access and show a permissions error page.

Does anyone know if any examples or open source blitz projects that do this and could be used as a reference?

I imagine you'd add orgId to the session. That way throughout the app you'll be able to grab it and use it. I'm just not sure the best way of implementing it. For example would you use a custom adapter? Do you throw a authorisation error if they don't have access?

[allanpope]

My current solution is to add this into the get org query. Not sure if there's a better way of doing this?

`
    if (ctx.session.orgId !== id) {
      throw new AuthorizationError()
    }``

[Skn0tt]

Another way of doing this is to restrict your database queries:

await db.project.findMany({
  where: { orgId: ctx.session.orgId }
})

That way, unauthorized users will be unable to see projects that they shouldn't access.

[osirvent]

So they would only need an orgId to access data they shouldn't...

[Skn0tt]

The user isn't able to change their session data, so that's not an attack vector.

[flybayer]

Here's how I do it.

Add orgId to session PublicData.

My resolver looks like this:

import { resolver, NotFoundError } from "blitz"
import db, { TestResult as TestResultBase } from "db"
import { ReportData } from "../types"
import * as z from "zod"
import { enforceAdminIfNotCurrentOrganization, setDefaultOrganizationId } from "app/core/utils"

const GetTestResult = z.object({
  id: z.number(),
  organizationId: z.number().optional(),
})

export default resolver.pipe(
  resolver.zod(GetTestResult),
  resolver.authorize(),
  setDefaultOrganizationId,
  enforceAdminIfNotCurrentOrganization,
  async ({ id, organizationId }) => {
    const testResult = await db.testResult.findFirst({
      where: { id, organizationId },
    })
    if (!testResult) throw new NotFoundError()
    return testResult
  }
)

And those utilities are here:

import { Ctx } from "blitz"
import { Prisma, Role } from "db"

function assert(condition: any, message: string): asserts condition {
  if (!condition) throw new Error(message)
}

export const setDefaultOrganizationId = <T extends Record<any, any>>(
  input: T,
  { session }: Ctx
): T & { organizationId: Prisma.IntNullableFilter | number } => {
  assert(session.orgId, "Missing session.orgId in setDefaultOrganizationId")
  if (input.organizationId) {
    return input as T & { organizationId: number }
  } else if (session.roles?.includes(Role.ADMIN) || session.roles?.includes(Role.PROCTOR)) {
    // Allow viewing any organization
    return { ...input, organizationId: { not: 0 } }
  } else {
    return { ...input, organizationId: session.orgId }
  }
}

export const enforceAdminIfNotCurrentOrganization = <T extends Record<any, any>>(
  input: T,
  ctx: Ctx
): T => {
  if (!ctx.session.orgId) throw new Error("missing session.orgId")
  if (!input.organizationId) throw new Error("missing input.organizationId")
  if (input.organizationId !== ctx.session.orgId) {
    ctx.session.$authorize(Role.ADMIN)
  }
  return input
}

[allanpope]

Thanks @flybayer