Hello, quick question about protecting routes with roles. https://supertokens.com/docs/userroles/pro...

cabara

08/02/2023, 4:37 PM

Hello, quick question about protecting routes with roles. https://supertokens.com/docs/userroles/protecting-routes In this page, the doc describes how to protect a backend route with

UserRoleClaim

. Is there a way to allow users with ANY of the given roles to a route? For example, how should I set the validator so that users with any one of the roles

admin, subadmin, subsubadmin

are given access to a certain route? Thank you.

rp_st

08/02/2023, 5:22 PM

hey @cabara in this case, you souhldn't use the validator in verifySession, but instead, add the logic in your API itself.

rp_st

08/02/2023, 5:23 PM

the docs mentions this:

Copy code

app.post("/update-blog", verifySession(), async (req: SessionRequest, res) => {
    const roles = await req.session!.getClaimValue(UserRoles.UserRoleClaim);
    
    if (roles === undefined || !roles.includes("admin")) {
        // this error tells SuperTokens to return a 403 to the frontend.
        throw new STError({
            type: "INVALID_CLAIMS",
            message: "User is not an admin",
            payload: [{
                id: UserRoles.UserRoleClaim.key
            }]
        })
    }
    // user is an admin..
});

So you can do something similar.

cabara

08/02/2023, 5:27 PM

🙏👍

cabara

08/02/2023, 5:28 PM

Thanks!

Previous Next

SuperTokens.com

SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).