1 reply

How to set up consistent authorization across different plugins?

Hi, I need help setting up consistent authorization for my app.
- Tech stack: The app is a Tanstack Start App set up just as described here https://www.better-auth.com/docs/integrations/tanstack.

- The app: The app itself is meant to be used as a internal tool for a company, We (me and the admins) need to have strict control on the users that sign up to the app. The sign up flow that best suits my use case is:
1. I create a superuser for myself.
2. I invite the admins using the magic link (this also crates their users)
3. They invite with the same flow the rest of the users and manage them with a dashboard.

- The problem: The POST /sign-in/magic-link endpoint (used to send the invite and create the users) doesn't check if you're an admin (that's what I need). In fact it doesn't even check if you're authenticated meaning that anyone can create a user for themselves.

My first thought was to use the before hooks provided by better auth, but I don't seem to find the request user on the context that this hook provides:

hooks: {
  before: createAuthMiddleware(async (ctx) => {
    if (ctx.path === "/sign-up/email") {
        if (ctx.body.email !== process.env.SUPERUSER_EMAIL) {
            throw new APIError("FORBIDDEN", {
              message: "Sign up is disabled for this email.",
            });
        }
    if (ctx.path === "/sign-in/magic-link") {
      // Logic to prevent magic link sign-in to non admin users
    }
  })
}

hooks: {
  before: createAuthMiddleware(async (ctx) => {
    if (ctx.path === "/sign-up/email") {
        if (ctx.body.email !== process.env.SUPERUSER_EMAIL) {
            throw new APIError("FORBIDDEN", {
              message: "Sign up is disabled for this email.",
            });
        }
    if (ctx.path === "/sign-in/magic-link") {
      // Logic to prevent magic link sign-in to non admin users
    }
  })
}

This is how I'm calling it in the frontend:

onSubmit: async ({ value }) => {
   await authClient.signIn.magicLink({
      email: value.email, 
      name: value.name,
      newUserCallbackURL: "/welcome",
   });
},

onSubmit: async ({ value }) => {
   await authClient.signIn.magicLink({
      email: value.email, 
      name: value.name,
      newUserCallbackURL: "/welcome",
   });
},

I want to know what are my options to mitigate this problem (and if there is something that I'm doing wrong).

How to set up consistent authorization across different plugins?

hooks: {
  before: createAuthMiddleware(async (ctx) => {
    if (ctx.path === "/sign-up/email") {
        if (ctx.body.email !== process.env.SUPERUSER_EMAIL) {
            throw new APIError("FORBIDDEN", {
              message: "Sign up is disabled for this email.",
            });
        }
    if (ctx.path === "/sign-in/magic-link") {
      // Logic to prevent magic link sign-in to non admin users
    }
  })
}

hooks: {
  before: createAuthMiddleware(async (ctx) => {
    if (ctx.path === "/sign-up/email") {
        if (ctx.body.email !== process.env.SUPERUSER_EMAIL) {
            throw new APIError("FORBIDDEN", {
              message: "Sign up is disabled for this email.",
            });
        }
    if (ctx.path === "/sign-in/magic-link") {
      // Logic to prevent magic link sign-in to non admin users
    }
  })
}

This is how I'm calling it in the frontend:

onSubmit: async ({ value }) => {
   await authClient.signIn.magicLink({
      email: value.email, 
      name: value.name,
      newUserCallbackURL: "/welcome",
   });
},

onSubmit: async ({ value }) => {
   await authClient.signIn.magicLink({
      email: value.email, 
      name: value.name,
      newUserCallbackURL: "/welcome",
   });
},

I want to know what are my options to mitigate this problem (and if there is something that I'm doing wrong).

How to set up consistent authorization across different plugins?

How to set up consistent authorization across different plugins?

Similar Threads

Similar Threads

Similar Threads