Authentication And Security

Role-based Access Control (RBAC)

Back to videos

Summary

In this guide, we'll walk you through the process of restricting access to API endpoints based on a user's role, also known as role-based access control (RBAC). RBAC is a powerful way to manage permissions and ensure that users can only access the resources and functionality they're authorized for.

Step 1: Set up User Roles

The first step is to define the different roles that users can have in your application. In Xano, you can add a new column to your `users` table to store the role information.

  1. Open your Xano workspace and navigate to the `users` table.
  2. Click the "+" button next to "Columns" to add a new column.
  3. Name the column "role" and select the "Enum" data type.
  4. Enter the role values you want to use, such as "admin", "member", and "guest".
  5. Click "Save" to apply the changes.

Now, each user in your database will have a "role" column that can be set to one of the defined values.

Step 2: Implement Role-Based Access Control

With the user roles set up, you can now restrict access to specific API endpoints based on the user's role. We'll cover two methods: using the `get record` function and storing the user's role in the authorization token.

Method 1: Using `get record`

  1. Create a new API endpoint or open an existing one.
  2. Require user authentication by enabling the "User Authentication" option in the endpoint settings.
  3. Add a `get record` request to retrieve the authenticated user's record from the `users` table, matching the `id` field with the `auth.id` value.
  4. Use a `stop and debug` utility function to inspect the retrieved user record and their role.
  5. Add a precondition to check if the user has the required role (e.g., `user.role == 'admin'`). If the condition is not met, return an "Access Denied" error message.
  6. If the user has the required role, proceed with the desired functionality (e.g., querying data, updating records, etc.).

Here's an example of how the API endpoint might look:

javascript
 // Get the authenticated user's record
 const user = await get.record('users', {
  id: { equals: auth.id }
 });
 
 // Check if the user is an admin
 if (user.role !== 'admin') {
  throw new Error('Access Denied: You must be an admin to access this resource.', { status: 403 });
 }
 
 // Proceed with the desired functionality
 const records = await query.all('users');
 return records;

Method 2: Storing the User's Role in the Authorization Token

Another approach is to store the user's role in the authorization token itself, which can be accessed using the `auth.extras` object.

  1. Modify the "Log In" endpoint to include the user's role in the `auth.extras` object when generating the authorization token.
  2. In the "Log In" endpoint, add the following code:

javascript
 const user = await get.record('users', {
  email: { equals: input.email }
 });
 
 if (!user || !crypto.argon2.verify(user.password, input.password)) {
  throw new Error('Invalid email or password', { status: 401 });
 }
 
 const token = await auth.encode({ id: user.id }, {
  extras: { role: user.role }
 });
 
 return { token };

  1. Similarly, update the "Sign Up" endpoint to assign a default role (e.g., "member") if no role is provided during sign-up.
  2. In your API endpoint, access the user's role using `auth.extras.role`.
  3. Implement the desired functionality based on the user's role.

Here's an example of how you can access the user's role from the authorization token:

javascript
 const userRole = auth.extras.role;
 
 if (userRole !== 'admin') {
  throw new Error('Access Denied: You must be an admin to access this resource.', { status: 403 });
 }
 
 // Proceed with the desired functionality
 const records = await query.all('users');
 return records;

Remember that when using the `auth.extras` approach, if you change a user's role in the database, the user will need to log in again to obtain a new authorization token with the updated role.

By following these steps, you can easily implement role-based access control in your Xano applications, ensuring that users can only access the resources and functionality they're authorized for based on their assigned roles.

This transcript was AI generated to allow users to quickly answer technical questions about Xano.

Was this helpful?

I found it helpful

I need more support
Recommended videos

View all videos

Introducing the OpenSearch Query Wizard
Search And Data Processing

Introducing the OpenSearch Query Wizard

Zip Files in Xano - How to Read, Process, and Create Zip Files
File Management

Zip Files in Xano - How to Read, Process, and Create Zip Files

Introducing Middleware: Enhanced API Efficiency and Flexibility with Reusable Logic
Api And Debugging

Introducing Middleware: Enhanced API Efficiency and Flexibility with Reusable Logic

Sign up for XanoSign up for Xano

Build without limits on a secure, scalable backend.

Unblock your team's progress and create a backend that will scale for free.

Start building for free