Secure, reusable data access patterns with DTOs and Taint checks. Use when building a data access layer with DTOs and server-side taint checking in Next.js.
Security
77 Stars
26 Forks
Updated Jan 18, 2026, 04:24 AM
Why Use This
This skill provides specialized capabilities for HoangNguyen0403's codebase.
Use Cases
Developing new features in the HoangNguyen0403 repository
Refactoring existing code to follow HoangNguyen0403 standards
Understanding and working with HoangNguyen0403's codebase structure
---
name: Next.js Data Access Layer
description: Secure, reusable data access patterns with DTOs and Taint checks. Use when building a data access layer with DTOs and server-side taint checking in Next.js.
metadata:
labels: [nextjs, dal, architecture, security]
triggers:
files: ['**/lib/data.ts', '**/services/*.ts', '**/dal/**']
keywords: [DAL, Data Access Layer, server-only, DTO]
---
# Data Access Layer (DAL)
## **Priority: P1 (HIGH)**
Centralize all data access (Database & External APIs) to ensure consistent security, authorization, and caching.
## Principles
1. **Server-Only**: Must include `import 'server-only'` to prevent Client bundling.
2. **Auth Co-location**: Auth checks (`session.role`) must be **inside** the DAL function.
3. **DTO Transformation**: Return plain objects (DTOs), never raw ORM instances.
4. **No Internal Fetch**: Call DAL functions directly. Do not `fetch('localhost/api')`.
## Implementation
| Approach | When to use | Reference |
| :-------------------- | :----------------------------------------------- | :---------------------------------- |
| **API Gateway (BFF)** | Enterprise apps with separated Backend (NestJS). | [Pattern A](references/patterns.md) |
| **Direct DB** | Fullstack apps or Admin Panels. | [Pattern B](references/patterns.md) |
## Limitations
- **Client Components**: Cannot import DAL files. Must use Server Actions or Route Handlers as bridges.
