Data
Advanced

Enterprise Data Access and Authorization

Build tenant-safe server-side data access with validation, transactions, and audit logs.

40 min
2 sections
data-access
authorization
multi-tenant
audit
1
2

01. Keep data access server-only

Section 1 of 2

Enterprise applications should put database access in server-only modules. Client Components receive DTOs, not database clients, sessions, or unchecked row shapes.

typescript
// lib/tickets/data.ts
import "server-only";

export async function listTicketsForQueue(input: {
  orgId: string;
  queueId: string;
}) {
  const viewer = await requireSession();
  await requireQueueAccess(viewer.user.id, input.orgId, input.queueId);

  return db.ticket.findMany({
    where: {
      orgId: input.orgId,
      queueId: input.queueId,
      deletedAt: null,
    },
    select: {
      id: true,
      subject: true,
      priority: true,
      status: true,
      updatedAt: true,
    },
    orderBy: [{ priority: "desc" }, { updatedAt: "desc" }],
  });
}
Back to Course