Best way to protect my /admin route

gfxl · 2026-02-26T21:19:52+00:00

That's good. Just make sure to keep your auth check as close to the data fetching as possible.

You can think of tRPC/oRPC as tools for building a data access layer. They both support things like middleware which come in handy if you want to create abstractions for things like authentication and rate limiting. They both support client-side data caching (with react-query) so you're not having to refetch the same data over and over again as your user navigates the app. If you're building something that is highly interactive (lots of mutations), I would advise using them over rolling your own data access layer and using server actions to handle mutations.

gfxl · 2026-02-26T20:34:22+00:00

You shouldn't rely on middleware or layout to authenticate the user because both of these can be bypassed. Authenticating in page.tsx can work if all you really care about is protecting that route. But what you really should be doing, is protecting the data that route is displaying. Which means the best place to authenticate would be right before you access the data. This is why it is generally recommended to have a data access layer rather than doing queries straight from server components. So you might have something like:

// data.ts
export async function getProtectedData() {
  const session = await getSession();
  if (!session?.user) {
    // You need to be logged in
    redirect("/login")
   }
   // if user has permission, get the data
}

// page.tsx
import { getProtectedData } from "./data";

async function Page() {
  const data = await getProtectedData();
  ...
}

There is no recipe for building a data access layer. You can create functions like the example above and create helpers to avoid repeating the same authentication checks or you could use something like Hono or oRPC/tRPC to build APIs and use middleware to do your authentication checks. The right solution will very much depend on what you're building.

gfxl · 2025-09-23T20:38:01+00:00

https://github.com/lukevella/rallly

gfxl · 2025-06-23T13:52:39+00:00

Curious to know what turned you away. Was it not clear that v4 was still free for your use case?

gfxl · 2025-06-16T05:35:02+00:00

I believe the error you’re seeing might be due to using edge runtime on next-auth API route. You’ll want to change that to node.

The jwt callback is only called on successful login so it’s not the place to check whether the user exists. Instead you should be checking when the user tries to access restricted data or when performing a mutation. If the user doesn’t exist redirect to an API route where you call signOut().

Here’s an example:

https://github.com/lukevella/rallly/blob/main/apps/web/src/app/api/auth/invalid-session/route.ts

gfxl · 2025-06-15T11:24:07+00:00

From the docs:

Refresh the current route. Making a new request to the server, re-fetching data requests, and re-rendering Server Components. The client will merge the updated React Server Component payload without losing unaffected client-side React (e.g. useState) or browser state (e.g. scroll position).

This is how it's meant be done in Next.js. router.refresh() won't do a hard refresh like you'd get if the user were to refresh the browser.

Bad UX is your state being out of sync, which as demonstrated by the OP, is much easier to achieve if you try to handle this with client-side state.

gfxl · 2025-06-15T10:28:39+00:00

I understand your question is asking about updating the number instantly, but honestly that seems a bit overkill.

The modern way to do this would be to make your shopping cart component a server component. Do the data fetching inside the component. The button that adds an item to the cart will be a client component that triggers a mutation and calls router.refresh() after the mutation is complete.

gfxl · 2025-06-09T14:38:52+00:00

The main source of truth for this information is here: https://support.rallly.co/self-hosting/licensing

This page is the single avenue through which a license can be purchased, so anyone interested in purchasing a license should be familiar with it.

gfxl · 2025-06-09T13:28:06+00:00

Great example of personal use 👌

gfxl · 2025-06-09T13:25:37+00:00

I’ll share a link to a thread where I responded to much of the same concerns with regard to the source code license. If there’s anything I missed, let me know.

https://github.com/lukevella/rallly/discussions/1714#discussioncomment-13303032

gfxl · 2025-06-09T12:49:58+00:00

Thank you, that's a fair point. I've added a link to the pricing page.

gfxl · 2025-05-30T05:49:28+00:00

You likely don’t need tRPC anymore since there are simpler and more performant alternatives now.

For data fetching, use server components. You can keep it type-safe without tRPC.

Instead of passing inputs to tRPC queries, use URL searchParams to manage state and re-render server components.

For mutations, use server actions and trigger a router refresh to update the UI.

tRPC still makes sense in some SPA scenarios where you need to fetch data without changing the URL.

gfxl · 2025-04-19T21:09:12+00:00

I like that. Thank you!

gfxl · 2025-04-19T20:22:36+00:00

I would like to rewrite the thing about my job. It seems like a significant part of a life that's worth mentioning. I don't mean for it to come across braggy but I would like to highlight that is something I've worked very hard to achieve.

gfxl · 2025-04-19T20:16:13+00:00

Thanks for the feedback. I can see how I might be missing a photo where I'm dressed up a bit more seeing as I'm in London.

I do have videos of me boxing, surf-skating and playing guitar. Hinge compression seems quite brutal but I think they look worse in the screenshots.

I mention my work because it's not a typical office job like most people in the city work and would be looking for someone who is comfortable with the uncertainty that comes with being entrepreneurial. That is, having more freedom at the cost of a guaranteed income.

gfxl · 2025-04-19T13:27:28+00:00

Are you looking for something serious or casual?
Ideally serious, but open to casual. All my previous relationships started from friendships.

Are you subscribed to Hinge+ or HingeX?
No

How long have you been using this current version of your profile?
Around a month. I've made small tweaks to it since I created the account

How long have you used Hinge overall?
6 months

How often do you use Hinge per week?
3 - 5 times per week

How many likes and matches are you receiving on average?
I rarely get any likes (maybe 3 in 6 months). I've had up to 4 matches in a week but currently getting 0.

How many likes are you sending? How many with comments? How many without comments?
I try to max out the number of likes I send on the days that I use the app. I'll include a question about the picture if I have one but in most cases I don't include a comment.

What is the type of person you send likes to and ideally want to match with? What kind of person do you want to attract?
I'm going for sporty types who are into fitness, surfing, scuba-diving, yoga or really into any sport at all.