Role-based Access Control (RBAC) User Authorization in Next.js
HTML-код
- Опубликовано: 3 авг 2024
- Auth hooks enable us to modify the access token with custom claims to add Role-Based Access Control (RBAC) to our Supabase project. In this example we’re looking at a Next.js Slack Clone with different permission levels for users, moderators, and admins.
- Read the docs: supabase.com/docs/guides/auth...
- Find the code: github.com/supabase/supabase/...
Presented by Thor Schaeff (@thorwebdev go.thor.bio/x)
CHAPTERS:
00:00 Intro to custom JWT claims and RBAC
00:47 Demo of the Slack Clone example
02:27 Create tables for user roles and permissions
03:20 Using Auth hooks to modify the JWT
05:45 Enable the auth hook in Supabase
06:05 Enable the auth hook in local dev
06:40 Authorize based on user roles in RLS policies
08:18 Accessing user roles in your application
09:01 Outro
💻 Videos to watch next:
▶ • Fastest way to build a...
▶ • FASTEST way to get sta...
▶ • The missing pieces to ...
👇 Learn more about Supabase 👇
🕸 Website: supabase.com/
🏁 Get started: app.supabase.com/
📄 Docs: supabase.com/docs
🔔 Subscribe for more tutorials and feature updates from Supabase: / @supabase
📱 Connect with Us:
🐙 Github: github.com/supabase
💬 Discord: discord.supabase.com/
🐦 Twitter: / supabase
📸 Instagram (follow for memes): / supabasecom
ABOUT SUPABASE:
Supabase is the open source Firebase alternative. Supabase provides a full Postgres database for every project with pgvector, backups, realtime, and more. Add and manage email and password, passwordless, OAuth, and mobile logins to your project through a suite of identity providers and APIs.
Build in a weekend, scale to millions.
#Supabase #AppDevelopment #RealtimeApps #DeveloperTools 
Наука
Thanks for tuning in! Make sure to check out the docs: supabase.com/docs/guides/auth/custom-claims-and-role-based-access-control-rbac?
And you can find the code on GitHub: github.com/supabase/supabase/tree/master/examples/slack-clone/nextjs-slack-clone
Thank you so much
What is the good approach to change claims from a user and get changes in realtime ?
Small tangent, perhaps, but what was the approach to determine which channels were available to delete for the moderator role in the UI? The trash icon existed for just the one available to delete. Presumably that's using the same rules as RLS for the delete, but are those rules duplicated into a function your UI is using?
this saved me
Great stuff, I was wondering what the Supabase team thinks of services like Cerbos for RBAC, ABAC
This is amazing been wanting to implement such functionality , nice to see a tutorial on this. Wonder if it works well with graphql too ?
Yes, GraphQL fully supports this approach also 👍
Just tried using this approach adding a custom claim (is_admin) to the JWT in a NextJS 14 but it just keep running into an Error -> AuthApiError: Error invoking access token hook
Perfect timing for me, This is what I need for my website now,
Do you have the videos of how you developed this chat app that you showed in the video?
Thank you
You mean a video of live coding the entire Slack clone?
@@thorwebdev Yes. I have seen their video stream of happy hours few months ago and it made me start my own website. now i have launched it. but it's bit old, Is there a entire slack clone video like that? can you give the link if it there?
Oh i didn't notice, it's you Thor, you were in that stream right? i think came only in one video :) they were joking about Hammer, it was such a wonderful stream, made me start my own website and i started to learn react and now my website is live, but need soooo many improvements to make. love you guys. Thanks Thor
Nice video! Thank you 😊
I am wondering why you don’t enable this feature by default, like Auth0 does, but we have to actually write a bunch of stuff in our project following a documentation page
Is there an update for the app router? I am trying to do this in the middleware but can't get it to work
Does the impersonate method work correctly with this?
Imagine that we have two policies:
- one to get the user's own messages (individual select)
- one to get every message (for admin users)
I tried it and technically it works but it does not work when I'm impersonating... Is there anything missing? Does the auth hook run on impersonate?
I don't feel confident enough by testing these policies in development but not being able to test them using impersonate.
Question how can I create custom access token if I deployed supabase in self hosting docker? I'm trying to create a Hook: Custom access token but I can't get it to work... Supabase I deployed in self-hosting version. The documentation says to add fields to config.toml I found it in supabase/supabase/config.toml . But as I understand it is not what I need. Question how can I create custom access token if I deployed supabase in self hosting docker ?
Thanks!
What if user could be part of multiple organizations and have different roles within them? Struggling with implementing this - will appreciate any advice.
I have the similar query. Let me know if anyone have any good idea
same problem here, did you find any solution?
I'm wondering about the same
same here. anyone ever figure out a good way?
Edit: An approach I was thinking maybe was refetching the token based on the organization instance. For example, you can have their meta data something like this
{
"org": "org-id",
"role": "user",
"additional_permissions": []
}
and on the client side, if they change between orgs somehow, that can trigger a session refresh with somehow passing in the org id that they wish to switch to?
If custom claims still reads from the database, how is this faster than just using RLS directly?
The Auth Hook is only triggered when a token is issued rather than the RLS policy triggering for each API call. So there is a bit of optimization here.
@@Supabasehi, I am a beginner so the RLS is easier for me to control. Would the optimization really make a difference in term of performance and security? Or controlling the RLS directly is sufficient. Thank you.
Supabase with drizzle ?
Or local dev ?
Noob question: why a public.users table? Why not use auth.users?
You can’t query auth.users using the Javascript client
@@Justin-oo2xt why do we need to query auth.users anyway when the cookie/jwt will be stored locally in the browser?
@@meet_codes7467 I was thinking about trying to get all the users out of the auth table.
nice 9:34 mins, how to learn more about it.
Always pronounced it Ree-back 😅
Have you developed any personal websites with this? can i see? Thank you.