You're protecting your data wrong – Introducing the Protected Query Pattern

Securing modern full-stack applications can be complex. You have to manage authorizations in many different contexts from UI to data mutation functions. In all of these contexts, you are required to query data and authorize access to it, maybe even conditionally redact and filter parts of it. This problem seems simple initially, but may quickly grow into a difficult beast to maintain and understand in real production applications with complex and ever changing requirements. This guide introduces the protected query pattern as a solution to this problem. Note: This guide views the problem from the perspective of full-stack web applications, such as ones built with Next.js, however this is fully applicable to any application with server-side data fetching. This guide will use Kilpi to implement strong authorizations, however the concepts can be transferred to your projects with or without using it. Protecting your queries To start off, you need a data access layer. This is non-neg ... Read full article.