To secure a Next.js + Prisma + PlanetScale stack, you need to: (1) implement authorization checks in application code since PlanetScale has no RLS, (2) use Prisma's type-safe queries to prevent SQL injection, (3) use PlanetScale branches for environment isolation, (4) store DATABASE_URL securely in environment variables, and (5) use deploy requests for safe production migrations. This blueprint covers server-side authorization patterns with Prisma ORM.
TL;DR
Prisma provides type-safe queries that prevent SQL injection, but PlanetScale doesn't have row-level security. Key tasks: implement authorization in application code, use PlanetScale branches for environment isolation, store DATABASE_URL in environment variables, and use deploy requests for safe production migrations.
Prisma Configuration Prisma PlanetScale
datasource db {
provider = "mysql"
url = env("DATABASE_URL")
relationMode = "prisma" // Required for PlanetScale
}
Application-Level Authorization Next.js
export async function PUT(req: Request, { params }) {
const session = await getServerSession(authOptions);
if (!session?.user?.id) {
return Response.json({ error: 'Unauthorized' }, { status: 401 });
}
const post = await prisma.post.findUnique({ where: { id: params.id } });
if (post?.authorId !== session.user.id) {
return Response.json({ error: 'Forbidden' }, { status: 403 });
}
// Safe to update...
}
Security Checklist
Pre-Launch Checklist
DATABASE_URL in environment variables
Separate branches for dev/prod
Authorization checks in all routes
SSL enabled in connection string
Deploy requests for prod migrations
No raw SQL with user input
Alternative Stacks
Consider these related blueprints:
- Next.js + Supabase + Vercel - For PostgreSQL with RLS
- T3 Stack - Next.js + tRPC + Prisma + NextAuth
- Next.js + Firebase - For NoSQL with Firestore