Authorization while caching response

[Zain-ul-din]

I have a simple application, where I'm fetching a goal by using MongoDB $and operator $and: [{ _id: { $eq: new ObjectId(id) } }, { userId: { $eq: userId } }] since my caching key is made of docId and the userId route should be protected other users not supposed to access the document. But I just log in from another account but can still access the data from unauthorized users.

import "server-only";
import { getCachedAuth } from "@/lib/auth";
import { getDB } from "@/lib/db";
import { dbCollections } from "@/lib/db/collections";
import { unstable_cache as cache } from "next/cache";
import { CacheKeys, constructUserCacheKey } from "@/dal/cache";
import { toJSON } from "@/lib/utils";
import { Goal } from "@/types/goal";
import { ObjectId } from "mongodb";

export const getGoal = async (id: string) => {
  const [db, { userId }] = await Promise.all([getDB(), getCachedAuth()]);
  const cacheKey = constructUserCacheKey(CacheKeys.Goals, id);

  return cache(
    async () => {
      const goal = await db.collection(dbCollections.goals).findOne({
        $and: [{ _id: { $eq: new ObjectId(id) } }, { userId: { $eq: userId } }]
      });

      return goal ? (toJSON(goal) as Goal) : null;
    },
    [cacheKey],
    {
      tags: [cacheKey],
      revalidate: false
    }
  )();
};

cache.ts

import invariant from "invariant";

export enum CacheKeys {
  Goals,
  Profile
}

const isValidKey = (key: string) =>
  key.length > 0 && typeof key !== "undefined";

export const constructCacheKey = (key: CacheKeys, ...otherKeys: string[]) => {
  invariant(
    otherKeys.every(isValidKey),
    `Invalid cache key ${key + ":" + otherKeys.join(":")}`
  );
  return `${key}:${otherKeys.join(":")}`;
};

export const constructUserCacheKey = (
  key: CacheKeys,
  userId: string,
  ...otherKeys: string[]
) => {
  return constructCacheKey(key, userId, ...otherKeys);
};

auth.ts

import "server-only";
import { cache } from "react";
import { auth, currentUser } from "@clerk/nextjs/server";

export const getCachedAuth = cache(auth);
export const getCachedCurrentUser = cache(currentUser);

Usage:

export default async function GoalPage({
  params
}: {
  params: Promise<{ slug: string }>;
}) {
  const { slug } = await params;
  const goal = await getGoal(slug);

  if (!goal) return notFound();
  return <></>
 }