Web app authorization acc to role assigned

I have CRUD web application with a tech stack of mongodb, nodejs, express and ejs. I am using auth0 for user authentication to access the web app. i want to perform role based authorization so that only certain users can access the certain functionalities. How do i implement this?

i.e. if the role assigned to the user is Admin, the edit and add buttons on the web app will be available else, the buttons will be disabled
async function getUserRolesFromAuth0(userId) {
const options = {
method: ā€œGETā€,
url: https://samcomelectronics.us.auth0.com/api/v2/users/${userId}/roles,
headers: {
Authorization: "Bearer " + process.env.AUTH0_TOKEN,
},
};

try {
const response = await axios.request(options);
if (response.data && Array.isArray(response.data) && response.data.length > 0) {
const roles = response.data.map((role) => role.name);
console.log(roles);
return roles;
} else {
console.log(ā€œUser has no rolesā€);
return ;
}
} catch (error) {
console.error(error);
throw error;
}
}

app.use(async (req, res, next) => {
try {
const userId = req.oidc.user.sub;
const roles = await getUserRolesFromAuth0(userId);
res.locals.roles = roles;
res.render(ā€˜indexā€™, { roles: roles });
next();
} catch (error) {
next(error); // Pass any errors to the error-handling middleware
}
});

I am currently doing it like this but this does not export ā€˜rolesā€™ to index.ejs hence iā€™m assuming its the wrong approach

Kindly help

Hello @nalawalaq welcome to the community!

The best way to go about this is to implement Role Based Access Control (RBAC) - You can have this enabled for your API youā€™ve registered in Auth0. The flow goes something like this:

  • User authenticates at your web app and obtains an ID/access token.
  • The access token is included as an Authorization header in requests to the API that you have registered in Auth0.
  • Your API validates the token and then checks the permissions claim, scopes, etc. depending on your specific needs.

I recommend taking a look at at the express-oauth2-jwt-bearer library referenced in the following guide for validating tokens on your backend/API:

Iā€™ve gone through the docs and followed the steps mentioned but iā€™m still not able to solve my issue.

I have attached my repo please could you have a look into it?

Hey @nalawalaq!

What issue are you currently facing? Unfortunately, Iā€™m not able to discern much from looking at your application code.

Basically after the user logs in there is a crud app with edit, delete, view and add record buttons. i want to make it such that the edit, delete and add buttons are only enabled if the user logging in has an admin role. if the user has an employee role i want to disable the edit, delete and add buttons.

The auth0 authentication is working without any issues but this authorization that i want to perform is not possible.

Iā€™ve tried various methods as well as gone through the auth0 rbac docs but i cannot find a solution for this

1 Like

Thanks for confirming!

Are you able to validate an access token successfully? Once validated, you should be able to make decisions in your API/backend logic based on the permissions claim and/or roles if you add them as a custom claim in the access token:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.