I’m working on a large web app that is intended to support lots of users, and each user will input a great deal of personal information. I’ve written an initial prisma schema, but it will grow a lot over time to track all the data. (This is a side-project, just me writing everything on the weekends, and my amount of time to code is quite limited, so I want to automate as much as possible, of course!)
I noticed that while Redwood does a great job at setting me up with default CRUD type operations, Cells, scaffolds, etc., there doesn’t seem to be anything built-in that handles multi-tenancy issues (aside from the user authentication support that’s built-in, of course).
I’d love a way to mark a Model as “user-associated” so that Redwood would generate automatically all the bits that perform authentication and authorization. On the frontend I want queries to be restricted by the current userid, and on the backend I want to enforce that all ops are checked for authorization against the current user specified in a JWT.
An example of what I’m talking about it all the steps in the tutorial here:
How hard would it be to automate all this? I wonder if it’s as simple as a flag that says that a model is user-specific, and some custom function that describes how to get the core “userId” variable from useAuth’s current user?
I also posted another question a little while ago about row-level security. That’s another step on top of this that I’d love to have, but basic authentication/authorization associated with individual DB models is my first requirement, of course) For my use cases it’s really rare that I’ll be pulling info out of a DB that isn’t user-restricted. I know this is different from, say, a site powering shared content like a public blog, etc., but I figure that user-restriction is a requirement for a large number of projects. Overall my feeling about Redwood (and auth) is that everything was going great as I got set up, I got useAuth working with a 3rd-party provider, but then the framework’s hand-holding sort of ended prematurely, and there wasn’t any other “magic” I could do to use useAuth everywhere necessary.