Authorization first, then the database would be better in our use case I think, moving less data around