Limit sign-in to portal by role
Hi, i have multiple roles for the user, we're just using basic email password & oAuth sign in for certain roles,
(so 4 roles, 3 of which require only email password sign-in while the last user can have either email password or oAuth)
user1 - email + password
user2 - email + password
user3 - email + password
user4 - email + password or oAuth sign-in
now we'd like to limit what portal they can login from, sign-up is already limited to the portal as a role is assigned client side as a signup argument (or gets defaulted to user4 if not provided - for oAuth sign-up where we cant provide args), however on sign in, we'd want a way to tell the user their acc is invalid to login from the incorrect portal (for context continuity)
one aspect was using hooks to check the url however this wouldn't entirely work as we are using tabs for the prior 3 user types, so they share the same URL, another would be to have our own api endpoint, and return a generic incorrect user error (so as to not inform a malicious user if that email exists)
then there's the case of oAuth sign-in ensuring it is limited to the specific user4 role type when they sign back in, as after they have made a account, we have auto-link enabled, we'd like to prevent if the prior 3 users can sign-in with oAuth.
however, i'd like to ask what the best idiomatic way to handle this case is with better auth? maybe we're missing something that would make this whole thing easier?
(so 4 roles, 3 of which require only email password sign-in while the last user can have either email password or oAuth)
user1 - email + password
user2 - email + password
user3 - email + password
user4 - email + password or oAuth sign-in
now we'd like to limit what portal they can login from, sign-up is already limited to the portal as a role is assigned client side as a signup argument (or gets defaulted to user4 if not provided - for oAuth sign-up where we cant provide args), however on sign in, we'd want a way to tell the user their acc is invalid to login from the incorrect portal (for context continuity)
one aspect was using hooks to check the url however this wouldn't entirely work as we are using tabs for the prior 3 user types, so they share the same URL, another would be to have our own api endpoint, and return a generic incorrect user error (so as to not inform a malicious user if that email exists)
then there's the case of oAuth sign-in ensuring it is limited to the specific user4 role type when they sign back in, as after they have made a account, we have auto-link enabled, we'd like to prevent if the prior 3 users can sign-in with oAuth.
however, i'd like to ask what the best idiomatic way to handle this case is with better auth? maybe we're missing something that would make this whole thing easier?
Solution
oh forgot i posted this but if anyone else is strugglign with this, use the following:
something of that sort, where we pass down a query param within the login code:
with oAuth you will have to hard code the role you want, for me its only one role so its fine,
just check if
something of that sort, where we pass down a query param within the login code:
with oAuth you will have to hard code the role you want, for me its only one role so its fine,
just check if
ctx.path.startswith('/callback/')Location
Was this page helpful?
