Hello friends! All my api route basically look like this (fastAPI):

@app.get("/api/users/{user_id}/recommendations")
def getRecommendations(
    user_id: str,
    session: SessionContainer = Depends(verify_session()),
):
    if user_id != session.get_user_id():
        return status.HTTP_401_UNAUTHORIZED

    ...

Is there a better way to make sure only

session.get_user_id() == {user_id}

else

401

? Why do I want this? - Gets cumbersome and error-prone to add this at the end of every route - When I add more roles into the system, the initial check becomes fairly larger than just 1

if

statement, and copy-pasting it everywhere feels like a giant red flag My plan if there's no better "supertokens way" of doing things: - define function

def is_authorized(session: SessionContainer, request: Request) -> bool:

- call it on the first line of anuy API route

Hey @psyf you don’t really need the user id in the path. But if you want to keep it, you can make your own middleware that does the above I guess. Also, if the user id path and session user id don’t match, you should return a 403 and not a 401. If you return a 401, or will cause an infinite refresh loop.

AH. I want the user_id because an admin user would still use this endpoint with a specific {user_id} in mind. It's redundant when

user

is using it because session.user_id == url.user_id, like you correctly point out

Which middleware?

the custom middleware you mention in your response

Ah. Well, the use case you have is unique

really? Curious to know what your thoughts are on a different way of structuring the endpoints. How do others do RBAC when it comes to endpoints? Do they add a "selected_user_id" in the session object (on the frontend, on some user_selection action) so that admin can GET resources related to a different user?

See our docs on roles please