Getting FORBIDDEN (403) error when using authClient.admin

Auth config:

export const auth = betterAuth({
  database: prismaAdapter(prisma, { provider: "mysql" }),

  user: {
    additionalFields: {
      document: {
        type: "string",
      },
    },
  },

  plugins: [
    admin({
      adminRoles: [Role.ADMIN],
      defaultRole: Role.AUDITOR,
    }),
    expo(),
  ],

  trustedOrigins: [process.env.APP_URL ?? raise("APP_URL not set"), "locsystem://"],

  emailAndPassword: { enabled: true },
});

export const auth = betterAuth({
  database: prismaAdapter(prisma, { provider: "mysql" }),

  user: {
    additionalFields: {
      document: {
        type: "string",
      },
    },
  },

  plugins: [
    admin({
      adminRoles: [Role.ADMIN],
      defaultRole: Role.AUDITOR,
    }),
    expo(),
  ],

  trustedOrigins: [process.env.APP_URL ?? raise("APP_URL not set"), "locsystem://"],

  emailAndPassword: { enabled: true },
});

Calling this code to change role

authClient.admin.setRole({
  userId: user.id,
  role: data.role,
  fetchOptions: { throw: true },
})

authClient.admin.setRole({
  userId: user.id,
  role: data.role,
  fetchOptions: { throw: true },
})

It also happens when creating a new user. The solution for now is call this functions server side but it would be nice if this works well. I'm logged as an ADMIN and the response is:

Solution:

https://github.com/better-auth/better-auth/pull/2128

GitHub

fix(admin): defaultRoles, adminRoles + others not applying user con...

Additional info: https://discord.com/channels/1288403910284935179/1357780287571886120/1357780287571886120

Jump to solution

14 Replies

Arthur MendesOP•3w ago

I'm using @casl to RBAC:

register: privateProcedure
    .input(
      z.object({
        email: z.string().email(),
        name: z.string(),
        password: z.string(),
        document: z.string(),
        role: z.nativeEnum(Role).optional(),
      })
    )
    .mutation(async ({ input, ctx }) => {
      console.log(ctx.user);
      ctx.throw("Você não tem permissão para cadastrar usuário").ifCannot("create", "user");

      const data = await auth.api.createUser({
        headers: await headers(),
        body: {
          email: input.email,
          name: input.name,
          password: input.password,
          data: { document: input.document },
        },
      });

      await prisma.user.update({ where: { id: data.user.id }, data: { role: input.role } });

      await ctx.log("registerUser", { createdUserId: data.user.id });

      return data;
    }),

register: privateProcedure
    .input(
      z.object({
        email: z.string().email(),
        name: z.string(),
        password: z.string(),
        document: z.string(),
        role: z.nativeEnum(Role).optional(),
      })
    )
    .mutation(async ({ input, ctx }) => {
      console.log(ctx.user);
      ctx.throw("Você não tem permissão para cadastrar usuário").ifCannot("create", "user");

      const data = await auth.api.createUser({
        headers: await headers(),
        body: {
          email: input.email,
          name: input.name,
          password: input.password,
          data: { document: input.document },
        },
      });

      await prisma.user.update({ where: { id: data.user.id }, data: { role: input.role } });

      await ctx.log("registerUser", { createdUserId: data.user.id });

      return data;
    }),