BA
Better Auth3mo ago
Laktos

Multiple roles for users in organizations

Hey! I recently found Better Auth and it's wonderful, have been setting up now to use JWTs so that I can pass it to my different backends. Didn't quite figure out how to verify the signed cookie without doing a database-call so I opted for what I have been using with Auth0. Perhaps if someone knows about that please let me know. But to the question, my use-case includes organizations, so I'm using the plugin for that. However, I notice that the "role" field is in singular, and to me it doesn't seem possible to do anything other than just map the field to another name. I could do something like attach roles to the user, but that stops me from becoming as granular as I'd like, since in some cases one user would need to have different roles for different organizations. And also I'd like to include the permissions in my JWT, seems like a common practice as well so maybe someone here has done it? So, in essence, does anyone know how to have multiple roles per org-member? If it's possible? Thanks, Albin
6 Replies
bekacru
bekacru3mo ago
if you're using the organization plugin, it store members role in each members table rather than users. Meaning a user that's a member in an org have their own role. for jwt you can provide custom payload by passing definePayload option to the jwt plugin. in most cases you don't need the jwt plugin unless you're connecting to external system that needs a jwt
Laktos
LaktosOP3mo ago
Hey Bekacru! Thanks for the answers. I'm aware about the first thing, that it's on the member level, but the thing is that it's in "singular", i.e. you can only have one role per organization. What I was getting at in my message was kind of a workaround where I would manually extend the user data, which would not be on the member level, since the member can't be extended, to my knowledge. Yep, I used that the definePayload one but I guess the real issue is how to get those permissions/roles for attaching. Yeah I hope that's true! I just need to find a good way to integrate it with my current auth setup, which uses JWT. Like, the thing is that it looks like from this: 
import {  createAuthMiddleware, sessionMiddleware } from "better-auth/plugins";
 
const myPlugin = ()=>{
    return {
        id: "my-plugin",
        endpoints: {
            getHelloWorld: createAuthEndpoint("/my-plugin/hello-world", {
                method: "GET",
                use: [sessionMiddleware], //[!code highlight]
            }, async(ctx) => {
                const session = ctx.context.session;
                return ctx.json({
                    message: "Hello World"
                })
            })
        }
    } satisfies BetterAuthPlugin
}
import {  createAuthMiddleware, sessionMiddleware } from "better-auth/plugins";
 
const myPlugin = ()=>{
    return {
        id: "my-plugin",
        endpoints: {
            getHelloWorld: createAuthEndpoint("/my-plugin/hello-world", {
                method: "GET",
                use: [sessionMiddleware], //[!code highlight]
            }, async(ctx) => {
                const session = ctx.context.session;
                return ctx.json({
                    message: "Hello World"
                })
            })
        }
    } satisfies BetterAuthPlugin
}
That one would have to do this for all endpoints, but perhaps I'm missing something about how to properly use plugins. I gotta validate the session somehow when I get a request on an endpoint which isn't the Better Auth endpoints. Like right now I've got a setup that verifies the JWT against a public key on every endpoint, through a decorator. Wouldn't be hard to forge one if there's no actual check against either the session cookie cache on the server or the one in the DB.
bekacru
bekacru3mo ago
You can extend the member as you want it's just getActiveOrganization or similar actions won't return those fields. if the endpoint that validates the jwt exists on the same server as better auth you don't need to use jwt. Use auth.api.getSession to fetch the current session and you use that to validate. if you need to customize what is returned as a session you can use customSession. https://www.better-auth.com/docs/concepts/session-management#customizing-session-response
Session Management | Better Auth
Better Auth session management.
Laktos
LaktosOP3mo ago
Hm yeah that’s kind of a bummer. Like in RBAC it’s commonplace to have multiple roles per user (/member). Going to feature request that then. Not using an endpoint for validating the JWT. That’s the neat thing, I’ve got a public key to verify it with, which I had hoped I could do with the session cookie too. But perhaps it’ll be alright since I will most likely do this in an auth module that’ll be included in all my services. Then they’ll all have access to the database and hence, the getSession. Ok the custom session could come in handy, but I don’t think it can be used to solve the thing with the permissions. Oh but I see what you mean though with the session. If I just write a lil function for getting the permissions from the roles, and get the roles from the database, I can get the permissions directly in the getSession-response, which is greeat for checking for my endpoint decorators
MaveriX89
MaveriX894d ago
@Laktos were you able to figure this out? I too have the same intent of making a multi-tenant app and need to support users having multiple roles for RBAC/ABAC features
Laktos
LaktosOP3d ago
It’s coming out in 1.2 so should be around the corner! It’s in beta now. But as of right now, it’s not supported.

Did you find this page helpful?