Refresh: Backend with TypeScript, PostgreSQL & Prisma part 3 β Authentication & Authorization (Prisma ORM 7 + Hono)#8003
Conversation
β¦) for Prisma ORM 7 + Hono Migrates passwordless email auth + JWT + authorization from Hapi to Hono: hono/jwt for signing/verifying, an authMiddleware replacing the jwt strategy, and reusable authorization middlewares (isRequestedUserOrAdmin, isTeacherOfCourseOrAdmin, requireAdmin) replacing Hapi pre-functions. SendGrid -> Resend with a debug fallback that logs the token when no key is set. Adds the Token model + isAdmin with an onDelete: Cascade relation. Kept author + date; updatedAt 2026-07-03. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
WalkthroughThe tutorial article was updated to describe a Prisma ORM 7 and Hono-based passwordless authentication and authorization flow instead of the prior Hapi-based approach. It also revises the email provider, middleware structure, routes, authorization checks, tests, and closing summary. ChangesBlog article rewrite
Estimated code review effort: 4 (Complex) | ~45 minutes Related PRs: None identified. Suggested labels: documentation, blog Suggested reviewers: None identified. Poem A rabbit hopped from Hapi's den, π₯ Pre-merge checks | β 5β Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The latest updates on your projects. Learn more about Argos notifications βοΈ
|
'Authz' is engineer shorthand and reads inconsistently next to the fully-spelled 'Authentication'. Spell it out so the title is clear for human and agent readers, and matches the metaTitle. Slug and metaTitle unchanged. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 2
π€ Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@apps/blog/content/blog/backend-prisma-typescript-orm-with-postgresql-auth-mngp1ps7kip4/index.mdx`:
- Line 226: The JWT_SECRET fallback in the blog example is a silent security
footgun because it lets deployments run with a published signing key. Update the
example around JWT_SECRET to fail fast when the environment variable is missing,
especially in production, and remove the default secret fallback so
misconfiguration is surfaced immediately. Use the JWT_SECRET constant and any
startup/config initialization code nearby to enforce this check.
- Around line 238-241: The email token generator currently uses Math.random(),
which is predictable for a credential; update generateEmailToken to use a CSPRNG
via crypto.randomInt(10000000, 100000000) while keeping the result as an 8-digit
string. Make sure the change stays within the existing generateEmailToken
function and preserves the current return format.
πͺ Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
βΉοΈ Review info
βοΈ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 48596fdd-b5cf-4898-9473-5b8b31d8599d
π Files selected for processing (1)
apps/blog/content/blog/backend-prisma-typescript-orm-with-postgresql-auth-mngp1ps7kip4/index.mdx
What
Refreshes part 3 of the series, Authentication & Authz (2020), for Prisma ORM 7. Follows #8000 (part 1) and #8001 (part 2), continuing the migration to Hono.
Key change: auth stack migrated Hapi β Hono
authMiddleware.hapi-auth-jwt2+jsonwebtokenare replaced by Hono's built-inhono/jwt(sign/verify, HS256), so no extra auth libraries.prefunctions β authorization middleware.isRequestedUserOrAdmin,isTeacherOfCourseOrAdmin, andrequireAdminare reusable Hono middlewares, mirroring how the Hapiprefunctions readrequest.auth.credentials.@sendgrid/mailbecomes a smallfetch-basedsendEmailToken, with a debug fallback that logs the token whenRESEND_API_KEYis unset, so the flow works locally with no provider.Schema changes
Tokenmodel +TokenTypeenum, madefirstName/lastNameoptional, addedisAdmin.onDelete: Cascadeon the TokenβUser relation soDELETE /users/{userId}keeps working once users have tokens (a real fix, not cosmetic).connectOrCreate, transactions, and aggregates are all stable in Prisma 7. Migrations:add-token,token-cascade.Other changes
updatedAt: 2026-07-03drives the visible "Updated" line and JSON-LDdateModified. Meta description updated (Hono).Testing
tsc --noEmitclean.vitest runβ 11/11 tests pass (status, login+authenticate flow, and authorization: 401 without token, 403 non-admin cross-user, admin override, self CRUD).Authorizationheader β/profile401 without / 200 with token β a reused email token is correctly rejected (401).pnpm types:checkpasses;pnpm lint:linksclean for this file; all external links 200.π€ Generated with Claude Code
Summary by CodeRabbit