# How to build a secure project management platform with Next.js, Clerk, and Neon Around 30,000 websites and applications are hacked every day\*, and the developer is often to blame. The vast majority of breaches occur due to misconfiguration rather than an actual vulnerability. This could be due to exposed database credentials, unprotected API routes, or data operations without the proper authorization checks just to name a few. It’s important to ensure that your application is configured in a way that prevents attackers from gaining unauthorized access to user data. In this article, you’ll learn how to build a project management web application while considering security best practices throughout. Although this article can be followed by itself, it is the second in a series covering the process of building **Kozi** - a collaborative project and knowledge management tool. Throughout the series, the following features will be implemented: - Create organizations to invite others to manage projects as a team. - A rich, collaborative text editor for project and task notes. - A system to comment on projects, tasks, and notes. - Automatic RAG functionality for all notes and uploaded files. - Invite users from outside your organization to collaborate on individual tasks. - Be notified when events occur on tasks you subscribe to, or you are mentioned in comments or notes. ## What makes this a “secure” project management system? Data security is considered throughout this guide by using the following techniques: ### Clerk and the Next.js middleware Clerk is a [user management platform for Next.js](https://clerk.com/nextjs-authentication) designed to get authentication into your application as quick as possible by providing a complete suite of user management tools as well as drop-in UI components. Behind the scenes, Clerk creates fast expiring tokens upon user sign-in that are sent to your server with each request, where Clerk also verifies the identify of the user. Clerk integrates with Next.js middleware to ensure every request to the application is evaluated before it reaches its destination. In the section where the middleware is configured, we instruct the middleware to protect any route starting with `/app` so that only authenticated users may access them. This means that before any functions are executed (on the client or server), the user will need to be authenticated. ### Server actions In this project, server actions are the primary method of interacting with the data in the database. Direct access to the database should always happen on the server and NEVER on the client where tech-savvy users can gain access to the database credentials. Since all functions that access the database are built with server actions, they do not execute client-side. It's important to note that calling these server actions should only ever be performed from protected routes. When a Next.js client component executes a server action, an HTTP POST request of form data is submitted to the current path with a unique identifier of the action for Next.js to route the data internally. This means that calling a server function from an anonymous route might result in anonymous users getting access to the data. This potential vulnerability is addressed in the next section. ### Database requests Protecting access to the functions is only one consideration. Each request will have an accompanying user identifier which can be used to determine the user making that request. This identifier is stored alongside the records the user creates, allowing each request for data to ONLY return the data associated with that user. When making data modifications, the requesting user ID is cross-referenced with the records being modified or deleted so that one user cannot affect another user’s data. The combination of protecting access to the routes, being mindful of calling server actions, and cross-referencing database queries with the user making the request ensures that the data within the application is secure and only accessible to those who have access to it. ## How to follow along Kozi is an open-source project, with each article in the series having corresponding start and end branches. This makes it easy to jump in at any point to get hands-on experience with the concepts outlined in each piece, as well as a point of reference if you simply want to see the completed code. Here are links to the specific branches: - [`article-2-start`](https://github.com/bmorrisondev/kozi/tree/article-2-start) - [`article-2-end`](https://github.com/bmorrisondev/kozi/tree/article-2-end) You should have a basic understanding of Next.js and React as well. ### Launching the project Once the branch above is cloned, open the project in your editor or terminal and run the following command to start up the application: ```bash npm install npm run dev ``` Open your browser and navigate to the URL displayed in the terminal to access Kozi. At the bottom right of the screen, you should see Clerk is running in keyless mode. Click the button to claim your keys and associate this instance to your Clerk account. If you don’t have an account, you’ll be prompted to create one. ![Claim your Clerk keys](./claim-keys.png) You are now ready to start building out the core functionality of Kozi! ## Setting up the database To store structured data, you’ll be using a serverless instance of Postgress provided by Neon. Start by heading to [neon.tech](http://neon.tech) and creating an account if you don’t have one. Create a new database and copy the connection string as shown below. ![Copy the connection string](./neon-cs.png) Create a new file in your local project named `.env.local` and paste the following snippet, replacing the placeholder for your specific Neon database connection string. ``` DATABASE_URL= ``` ### Configuring Prisma Prisma is used as the ORM to access and manipulate data in the database, as well as apply schema changes to the database as the data needs are updated. Open the project in your IDE and start by creating the schema file at `prisma/schema.prisma`. Paste in the following code: filename: prisma/schema.prisma ```prisma generator client { provider = "prisma-client-js" } datasource db { provider = "postgresql" url = env("DATABASE_URL") } model Project { id String @id @default(cuid()) name String description String? owner_id String created_at DateTime @default(now()) updated_at DateTime @updatedAt is_archived Boolean @default(false) } model Task { id String @id @default(cuid()) title String description String? owner_id String is_completed Boolean @default(false) created_at DateTime @default(now()) updated_at DateTime @updatedAt project_id String? } ``` > We’re using the `owner_id` column instead of `user_id` since this application will be updated to support teams and organizations in a future entry. Next, create the `src/lib/db.ts` file and paste in the following code which will be used throughout the application to create a connection to the database: filename: src/lib/db.ts ```ts import { PrismaClient } from '@prisma/client' const globalForPrisma = globalThis as unknown as { prisma: PrismaClient | undefined } export const prisma = globalForPrisma.prisma ?? new PrismaClient() if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = prisma ``` To sync the schema changes to Neon, run the following command in the terminal: ```bash npx prisma db push ``` If you open the database in the Neon console and navigate to the Tables menu item, you should see the `projects` and `tasks` tables shown. ![Neon tables](./neon-tables.png) Finally, since it is not best practice to use the Prisma client in any client-side components, you’ll want a file to store interfaces so that TypeScript can recognize the structure of your objects when passing them between components. Create the `src/app/app/models.ts` file and paste in the following: filename: src/app/app/models.ts ```ts export interface Task { id: string title: string description?: string | null is_completed: boolean created_at: Date updated_at: Date project_id?: string | null owner_id: string } export interface Project { name: string id: string description: string | null owner_id: string created_at: Date updated_at: Date is_archived: boolean } ``` ## Configure `/app` as a protected route with Clerk Clerk’s middleware uses a helper function called `createRouteMatcher` that lets you define a list of routes to protect. This includes any pages, server actions, or API handlers stored in the matching folders of the project. All of the core functionality of the application will be stored in the `/app` route, so update `src/middleware.ts` to use the `createRouteMatcher` to protect everything in that folder: filename: src/middleware.ts ```ts import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server' const isProtectedRoute = createRouteMatcher(['/app(.*)']) export default clerkMiddleware(async (auth, req) => { if (isProtectedRoute(req)) await auth.protect() }) export const config = { matcher: [ // Skip Next.js internals and all static files, unless found in search params '/((?!_next|[^?]*\.(?:html?|css|js(?!on)|jpe?g|webp|png|gif|svg|ttf|woff2?|ico|csv|docx?|xlsx?|zip|webmanifest)).*)', // Always run for API routes '/(api|trpc)(.*)', ], } ``` The `/app` route will use a different layout from the landing page, which will contain a collapsible sidebar that contains the `` (a Clerk UI component that lets users manage their profile and sign out), an inbox for tasks, and a list of projects that tasks can be created in. Start by creating the `src/app/app/components/Sidebar.tsx` file to render the elements of the sidebar: filename: src/app/app/components/Sidebar.tsx ```tsx 'use client' import { cn } from '@/lib/utils' import { ChevronRightIcon, ChevronLeftIcon, InboxIcon } from 'lucide-react' import React from 'react' import Link from 'next/link' import { UserButton } from '@clerk/nextjs' function Sidebar() { const [isCollapsed, setIsCollapsed] = React.useState(false) return (
) } export default Sidebar ``` Now create `src/app/app/layout.tsx` to render the sidebar with the pages in the `/app` route: filename: src/app/app/layout.tsx ```tsx import * as React from 'react' import Sidebar from './components/Sidebar' export default function AppLayout({ children }: { children: React.ReactNode }) { return (
{children}
) } ``` Next, create `src/app/app/page.tsx` which is just a simple page that renders some text to make sure the `/app` route works as expected: filename: src/app/app/page.tsx ```tsx import React from 'react' import { auth } from '@clerk/nextjs/server' import { redirect } from 'next/navigation' export default async function AppHome() { const { userId } = await auth() if (!userId) { return redirect('/sign-in') } return
Inbox
} ``` Open the application in your browser and test out the changes by navigating to the `/app` which should automatically redirect you to the `/sign-in` route where you can create an account and make sure `/app` only works when authenticated. [View video](./kozi-sign-in-opt.mp4) ## Working with tasks At the core of every project is a list of tasks, so now we’ll configure the ability to create and work with tasks in the default Inbox list. Several components will be used to provide the following application structure. The following image shows how these components will be used: ![Kozi UI diagram](./kozi-diagram.png) These are all client components so they will need corresponding server actions so they can interact with the database securely. Create the `src/app/app/actions.ts` file and paste in the following code: filename: src/app/app/actions.ts ```ts 'use server' import { auth } from '@clerk/nextjs/server' import { prisma } from '@/lib/db' import { revalidatePath } from 'next/cache' export async function createTask(formData: FormData) { const { userId } = await auth() if (!userId) { throw new Error('Unauthorized') } const title = formData.get('title') as string if (!title?.trim()) { throw new Error('Title is required') } await prisma.task.create({ data: { title: title.trim(), owner_id: userId, project_id: null, }, }) revalidatePath('/app') } export async function toggleTask(taskId: string) { const { userId } = await auth() if (!userId) { throw new Error('Unauthorized') } const task = await prisma.task.findUnique({ where: { id: taskId }, }) if (!task || task.owner_id !== userId) { throw new Error('Task not found or unauthorized') } await prisma.task.update({ where: { id: taskId }, data: { is_completed: !task.is_completed }, }) revalidatePath('/app') } ``` We’re going to start with the `` component which renders the field where users can create tasks. Create the `src/app/app/components/CreateTaskInput.tsx` file and paste in the following: filename: src/app/app/components/CreateTaskInput.tsx ```tsx 'use client' import { useState } from 'react' import { Input } from '@/components/ui/input' import { Button } from '@/components/ui/button' import { createTask } from '@/app/app/actions' import { PlusIcon } from 'lucide-react' export default function CreateTaskInput() { const [title, setTitle] = useState('') const [isSubmitting, setIsSubmitting] = useState(false) const handleSubmit = async (e: React.FormEvent) => { e.preventDefault() // Don't create a task if the title is empty if (!title.trim()) return try { setIsSubmitting(true) const formData = new FormData() formData.append('title', title) await createTask(formData) setTitle('') } finally { setIsSubmitting(false) } } return (
setTitle(e.target.value)} placeholder="Add a task..." className="flex-1 border-0 bg-transparent text-gray-900 shadow-none focus-visible:ring-0 focus-visible:ring-offset-0 dark:text-gray-100" />
) } ``` Next, we’ll move on to ``, which will display the name of the task and allow users to toggle it using a checkbox, as is standard in task-centric applications. Create the `src/app/app/components/TaskCard.tsx` file and paste in the following: filename: src/app/app/components/TaskCard.tsx ```tsx 'use client' import React from 'react' import { toggleTask } from '../actions' import { cn } from '@/lib/utils' import { Task } from '@prisma/client' interface Props { task: Task } export default function TaskCard({ task }: Props) { return (
{/* Checkbox */} {/* Task details */}

{task.title}

{task.description && (

{task.description}

)}
) } ``` Finally, create the `` component to render the list of tasks and the input to create new ones. Create the `src/app/app/components/TaskList.tsx` file and paste in the following: filename: src/app/app/components/TaskList.tsx ```tsx 'use client' import React from 'react' import TaskCard from './TaskCard' import CreateTaskInput from './CreateTaskInput' import { Task } from '@prisma/client' interface Props { title: string tasks: Task[] } export default function TaskList({ title, tasks }: Props) { return (

{title}

{tasks.length === 0 ? (

No tasks

) : ( tasks.map((task) => ) )}
) } ``` With all of our components created, update the `src/app/app/page.tsx` to match the following code which uses the components created above, as well as queries the database for all tasks on load: filename: src/app/app/page.tsx ```tsx import React from 'react' import { auth } from '@clerk/nextjs/server' import { redirect } from 'next/navigation' import { prisma } from '@/lib/db' import TaskList from './components/TaskList' export default async function AppHome() { const { userId } = await auth() if (!userId) { return redirect('/sign-in') } // Get the user's inbox tasks const tasks = await prisma.task.findMany({ where: { owner_id: userId, project_id: null, }, orderBy: { created_at: 'desc', }, }) return (
) return
Inbox
} ``` If you access the application again, you can now create tasks in your inbox and complete them. [View video](./kozi-create-task-opt.mp4) ### Editing and deleting tasks Now that you can create tasks, the next step is to set up a modal so clicking the task (outside of the checkbox) will display the modal and allow you to change the name of the task and set a description if needed. As a design decision, this modal does not include a save button but rather debounces any edits for 1 second to create an experience where users can quickly save values and avoid another click. The modal will also create a menu in the header which allows you to delete the task. Start by appending the following code to `src/app/app/actions.ts`: filename: src/app/app/actions.ts ```ts export async function updateTask(formData: FormData) { const { userId } = await auth() if (!userId) { throw new Error('Unauthorized') } const id = formData.get('id') as string const title = formData.get('title') as string const description = formData.get('description') as string if (!id || !title?.trim()) { throw new Error('Invalid input') } const task = await prisma.task.findUnique({ where: { id }, }) if (!task || task.owner_id !== userId) { throw new Error('Task not found or unauthorized') } await prisma.task.update({ where: { id }, data: { title: title.trim(), description: description?.trim() || null, }, }) revalidatePath('/app') } export async function deleteTask(taskId: string) { const { userId } = await auth() if (!userId) { throw new Error('Unauthorized') } // Delete the task await prisma.task.delete({ where: { id: taskId, owner_id: userId, // Ensure the task belongs to the user }, }) revalidatePath('/app') } ``` Next, create the `src/app/app/components/EditTaskModal.tsx` and paste in the following: filename: src/app/app/components/EditTaskModal.tsx ```tsx 'use client' import { useEffect, useState } from 'react' import { useDebouncedCallback } from 'use-debounce' import { Dialog, DialogContent, DialogHeader, DialogTitle } from '@/components/ui/dialog' import { Textarea } from '@/components/ui/textarea' import { useRouter } from 'next/navigation' import { updateTask, toggleTask, deleteTask } from '../actions' import { Folder, MoreVertical, Trash2, X } from 'lucide-react' import { Button } from '@/components/ui/button' import { DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger, } from '@/components/ui/dropdown-menu' import { AlertDialog, AlertDialogAction, AlertDialogCancel, AlertDialogContent, AlertDialogDescription, AlertDialogFooter, AlertDialogHeader, AlertDialogTitle, } from '@/components/ui/alert-dialog' import { Task } from '../models' interface Props { task: Task open: boolean onOpenChange: (open: boolean) => void projectName?: string } export default function EditTaskModal({ task: initialTask, open, onOpenChange, projectName, }: Props) { const [task, setTask] = useState(initialTask) const [title, setTitle] = useState(task.title) const [description, setDescription] = useState(task.description || '') const [isSubmitting, setIsSubmitting] = useState(false) const [showDeleteConfirm, setShowDeleteConfirm] = useState(false) const router = useRouter() // Reset form when modal opens useEffect(() => { if (open) { setTask(initialTask) setTitle(initialTask.title) setDescription(initialTask.description || '') } }, [open, initialTask]) const saveChanges = useDebouncedCallback(async () => { if (!title.trim()) return try { setIsSubmitting(true) const formData = new FormData() formData.append('id', task.id) formData.append('title', title.trim()) formData.append('description', description.trim()) await updateTask(formData) router.refresh() } finally { setIsSubmitting(false) } }, 1000) async function onToggleCompleted() { const newIsCompleted = !task.is_completed setTask((prev) => ({ ...prev, is_completed: newIsCompleted })) try { await toggleTask(task.id) } catch (error) { // Revert on error setTask((prev) => ({ ...prev, is_completed: !newIsCompleted })) } } function titleRef(el: HTMLTextAreaElement | null) { if (el) { el.style.height = '2.5rem' // Set initial height const scrollHeight = el.scrollHeight const minHeight = 40 // 2.5rem in pixels el.style.height = `${Math.max(scrollHeight, minHeight)}px` } } function onTitleChange(e: React.ChangeEvent) { setTitle(e.target.value) saveChanges() // Auto-adjust height after value changes const el = e.target el.style.height = '2.5rem' // Reset to minimum height const scrollHeight = el.scrollHeight const minHeight = 40 // 2.5rem in pixels el.style.height = `${Math.max(scrollHeight, minHeight)}px` } function onDescriptionChange(e: React.ChangeEvent) { setDescription(e.target.value) saveChanges() } async function handleDelete() { try { await deleteTask(task.id) onOpenChange(false) router.refresh() } catch (error) { console.error('Failed to delete task:', error) } } return ( <> {/* The edit task modal */}
{projectName ?? 'Inbox'}
setShowDeleteConfirm(true)} className="text-red-600 dark:text-red-400" > Delete Task