Optimial way of handling two types of users (authorisation)
I have two types of users, who can all do some operations, but each have their own unique set if pages/operations they can complete.
For the operations, I am adding a simple check against their property, and I am redirecting off unauthorised pages manually.
What I'm primarily asking is that if there's a simple way of blocking access to all routes matching a certain pattern unless a user matches certain requirements? Eg users marked as "creator" should only be able to access routes that are under "/creator/"
4 Replies
Hi @CamBlackwood. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Currently, Wasp does not provide a built-in way to block access to routes matching specific patterns based on user roles or properties. However, there are a few approaches you can take to implement this kind of authorization in your Wasp app:
1. Manual checks in each component:
You can continue with your current approach of manually checking user properties and redirecting unauthorized users in each component. This is a valid solution, although it can become repetitive.
2. Higher-order component:
You could create a higher-order component that wraps your protected pages and performs the authorization check. This would allow you to reuse the logic across multiple components.
3. Custom middleware:
While Wasp doesn't currently offer built-in middleware for this purpose, you could implement your own authorization middleware in your Express server setup.
4. Route-based checks:
For pages, you can use the
authRequired property in your page declarations to ensure only authenticated users can access certain pages Wasp Docs - Auth Overview (https://wasp-lang.dev/docs/auth/overview#protecting-a-page-with-authrequired). However, this doesn't distinguish between different user types.
For more granular control over user roles and permissions, you might need to implement your own solution. As mentioned by a Wasp team member in a Discord conversation:
Discord support thread (https://discord.com/channels/686873244791210014/1211733266235916358)
"You can addFor your specific requirement of blocking access to routes under "/creator/" for non-creator users, you would need to implement this logic yourself, either in your React components or by creating a custom routing solution. It's worth noting that Wasp is planning to add more robust authorization features in the future, including potential support for role-based access control (RBAC) Github Issue - RFC: Support for Permissions (https://github.com/wasp-lang/wasp/issues/584). However, these features are not yet available in the current version of Wasp. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @CamBlackwood, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?rolefield toUserentity, and you can then in your queries/actions check the value of that role and based on that make a decision if they should be able to execute that query/action or not. If they are not allowed, you can throw HttpError 403 or something like that."
sounds like custom middleware is probably the way to go!
Custom middleware is an option for backend, although it is mostly aimed for API stuff, not so much for Operations (Actions, Queries). It is not an option for frontend if I am correct. I created an issue here for this https://github.com/wasp-lang/wasp/issues/2396, so we can make it better.
I don't think we currently have an easy way, on the frontend, to say that under specific route, certian logic has to be satisfied / executed. That would certainly be valuable., I added a note for it here: https://github.com/wasp-lang/wasp/issues/1072 .
Sounds good, thanks Martin!