Web app authorization acc to role assigned

nalawalaq · October 18, 2023, 11:13am

I have CRUD web application with a tech stack of mongodb, nodejs, express and ejs. I am using auth0 for user authentication to access the web app. i want to perform role based authorization so that only certain users can access the certain functionalities. How do i implement this?

i.e. if the role assigned to the user is Admin, the edit and add buttons on the web app will be available else, the buttons will be disabled
async function getUserRolesFromAuth0(userId) {
const options = {
method: “GET”,
url: https://samcomelectronics.us.auth0.com/api/v2/users/${userId}/roles,
headers: {
Authorization: "Bearer " + process.env.AUTH0_TOKEN,
},
};

try {
const response = await axios.request(options);
if (response.data && Array.isArray(response.data) && response.data.length > 0) {
const roles = response.data.map((role) => role.name);
console.log(roles);
return roles;
} else {
console.log(“User has no roles”);
return ;
}
} catch (error) {
console.error(error);
throw error;
}
}

app.use(async (req, res, next) => {
try {
const userId = req.oidc.user.sub;
const roles = await getUserRolesFromAuth0(userId);
res.locals.roles = roles;
res.render(‘index’, { roles: roles });
next();
} catch (error) {
next(error); // Pass any errors to the error-handling middleware
}
});

I am currently doing it like this but this does not export ‘roles’ to index.ejs hence i’m assuming its the wrong approach

Kindly help

tyf · October 18, 2023, 10:18pm

Hello @nalawalaq welcome to the community!

The best way to go about this is to implement Role Based Access Control (RBAC) - You can have this enabled for your API you’ve registered in Auth0. The flow goes something like this:

User authenticates at your web app and obtains an ID/access token.
The access token is included as an Authorization header in requests to the API that you have registered in Auth0.
Your API validates the token and then checks the permissions claim, scopes, etc. depending on your specific needs.

I recommend taking a look at at the express-oauth2-jwt-bearer library referenced in the following guide for validating tokens on your backend/API:

nalawalaq · October 19, 2023, 7:55am

I’ve gone through the docs and followed the steps mentioned but i’m still not able to solve my issue.

I have attached my repo please could you have a look into it?

tyf · October 24, 2023, 10:58pm

Hey @nalawalaq!

What issue are you currently facing? Unfortunately, I’m not able to discern much from looking at your application code.

nalawalaq · October 25, 2023, 10:48am

Basically after the user logs in there is a crud app with edit, delete, view and add record buttons. i want to make it such that the edit, delete and add buttons are only enabled if the user logging in has an admin role. if the user has an employee role i want to disable the edit, delete and add buttons.

The auth0 authentication is working without any issues but this authorization that i want to perform is not possible.

I’ve tried various methods as well as gone through the auth0 rbac docs but i cannot find a solution for this

tyf · October 26, 2023, 9:57pm

Thanks for confirming!

Are you able to validate an access token successfully? Once validated, you should be able to make decisions in your API/backend logic based on the permissions claim and/or roles if you add them as a custom claim in the access token:

system · November 9, 2023, 9:58pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.