JWT custom claims: Am I making the right choice?
🤷other
auth
authI need developer's opinion on my authentication & security design choice. So I have chosen to use JWT custom claims for RBAC.
here's my project: a student's portal that can be signed in as (a) Parent or as (b) Student.
(a) if signed is as Parent, the Parent can sign in using any of their children's 'Student ID', then Parent will see all their children's data upon sign in.
(b) if signed is as a Student, the student must only use their own Student ID, and will only see their own data upon sign in, and cannot see their sibling's data
requirements:
- the client wants the password to be using Student IDs that are allocated to each student so that these kids dont have any issues forgetting their passwords, and admin still has control for them to prevent kids changing their passwords too frequently, keep forgetting and stuffs.
- not all students have emails, so sign in will require full name + student ID as password.
- when signed in, the student portal basically shows student's data, their classes information, announcements, and there's a payment form (no payment gateway used, just a form submission). so the sensitive. parents who sign in basically see the same thing but for multiple of their children.
so my doubt is, is this really a good choice to use JWT custom claims for authentication of sign ins instead of using supabase's default user registration/sign in authentication? when I checked, it requires each user to have an email, and I couldn't think of a way to handle accounts as said in (a) & (b) using this default email & password handling?
assume im inexperienced and need guidance from actual devs. i need feedback too. thanks!
here's my project: a student's portal that can be signed in as (a) Parent or as (b) Student.
(a) if signed is as Parent, the Parent can sign in using any of their children's 'Student ID', then Parent will see all their children's data upon sign in.
(b) if signed is as a Student, the student must only use their own Student ID, and will only see their own data upon sign in, and cannot see their sibling's data
requirements:
- the client wants the password to be using Student IDs that are allocated to each student so that these kids dont have any issues forgetting their passwords, and admin still has control for them to prevent kids changing their passwords too frequently, keep forgetting and stuffs.
- not all students have emails, so sign in will require full name + student ID as password.
- when signed in, the student portal basically shows student's data, their classes information, announcements, and there's a payment form (no payment gateway used, just a form submission). so the sensitive. parents who sign in basically see the same thing but for multiple of their children.
so my doubt is, is this really a good choice to use JWT custom claims for authentication of sign ins instead of using supabase's default user registration/sign in authentication? when I checked, it requires each user to have an email, and I couldn't think of a way to handle accounts as said in (a) & (b) using this default email & password handling?
assume im inexperienced and need guidance from actual devs. i need feedback too. thanks!
