Better AuthBA
Better Auth2mo ago
Agustín

How to set up consistent authorization across different plugins?

Hi, I need help setting up consistent authorization for my app.
  • Tech stack: The app is a Tanstack Start App set up just as described here https://www.better-auth.com/docs/integrations/tanstack.
  • The app: The app itself is meant to be used as a internal tool for a company, We (me and the admins) need to have strict control on the users that sign up to the app. The sign up flow that best suits my use case is:
    1. I create a superuser for myself.
    2. I invite the admins using the magic link (this also crates their users)
    3. They invite with the same flow the rest of the users and manage them with a dashboard.
  • The problem: The **POST /sign-in/magic-link** endpoint (used to send the invite and create the users) doesn't check if you're an admin (that's what I need). In fact it doesn't even check if you're authenticated meaning that anyone can create a user for themselves.
My first thought was to use the before hooks provided by better auth, but I don't seem to find the request user on the context that this hook provides: 

hooks: {
  before: createAuthMiddleware(async (ctx) => {
    if (ctx.path === "/sign-up/email") {
        if (ctx.body.email !== process.env.SUPERUSER_EMAIL) {
            throw new APIError("FORBIDDEN", {
              message: "Sign up is disabled for this email.",
            });
        }
    if (ctx.path === "/sign-in/magic-link") {
      // Logic to prevent magic link sign-in to non admin users
    }
  })
}


This is how I'm calling it in the frontend: 

onSubmit: async ({ value }) => {
   await authClient.signIn.magicLink({
      email: value.email, 
      name: value.name,
      newUserCallbackURL: "/welcome",
   });
},


I want to know what are my options to mitigate this problem (and if there is something that I'm doing wrong).
Was this page helpful?