Wasp•13mo ago

Optimial way of handling two types of users (authorisation)

I have two types of users, who can all do some operations, but each have their own unique set if pages/operations they can complete.

For the operations, I am adding a simple check against their property, and I am redirecting off unauthorised pages manually.

What I'm primarily asking is that if there's a simple way of blocking access to all routes matching a certain pattern unless a user matches certain requirements? Eg users marked as "creator" should only be able to access routes that are under "/creator/"

kapa.ai•12/4/24, 3:43 PM

Hi @CamBlackwood. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

kapa.ai•12/4/24, 3:44 PM

----------------------
Currently, Wasp does not provide a built-in way to block access to routes matching specific patterns based on user roles or properties. However, there are a few approaches you can take to implement this kind of authorization in your Wasp app:

Manual checks in each component:You can continue with your current approach of manually checking user properties and redirecting unauthorized users in each component. This is a valid solution, although it can become repetitive.
Higher-order component:You could create a higher-order component that wraps your protected pages and performs the authorization check. This would allow you to reuse the logic across multiple components.
Custom middleware:While Wasp doesn't currently offer built-in middleware for this purpose, you could implement your own authorization middleware in your Express server setup.
Route-based checks:For pages, you can use the `authRequired` property in your page declarations to ensure only authenticated users can access certain pages **Wasp Docs - Auth Overview** (<https://wasp-lang.dev/docs/auth/overview#protecting-a-page-with-authrequired>). However, this doesn't distinguish between different user types.

For more granular control over user roles and permissions, you might need to implement your own solution. As mentioned by a Wasp team member in a Discord conversation:

Discord support thread (🙋questionsHi, how do you add authorization ?)

"You can add rolerole field to
User
User
entity, and you can then in your queries/actions check the value of that role and based on that make a decision if they should be able to execute that query/action or not. If they are not allowed, you can throw HttpError 403 or something like that."

kapa.ai•12/4/24, 3:44 PM

For your specific requirement of blocking access to routes under "/creator/" for non-creator users, you would need to implement this logic yourself, either in your React components or by creating a custom routing solution.

It's worth noting that Wasp is planning to add more robust authorization features in the future, including potential support for role-based access control (RBAC) Github Issue - RFC: Support for Permissions (https://github.com/wasp-lang/wasp/issues/584). However, these features are not yet available in the current version of Wasp.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------

kapa.ai•12/4/24, 3:44 PM

Sorry @CamBlackwood, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:

Perhaps try again in 15mins?

CamBlackwoodOP•12/4/24, 3:45 PM

sounds like custom middleware is probably the way to go!

martinsos•12/4/24, 7:30 PM

Custom middleware is an option for backend, although it is mostly aimed for API stuff, not so much for Operations (Actions, Queries). It is not an option for frontend if I am correct. I created an issue here for this https://github.com/wasp-lang/wasp/issues/2396, so we can make it better.

I don't think we currently have an easy way, on the frontend, to say that under specific route, certian logic has to be satisfied / executed. That would certainly be valuable., I added a note for it here: https://github.com/wasp-lang/wasp/issues/1072 .

CamBlackwoodOP•12/4/24, 8:00 PM

Sounds good, thanks Martin!

Optimial way of handling two types of users (authorisation)

Similar Threads

Similar Threads

Similar Threads