Authentication And Security

Role-based Access Control (RBAC)

In this guide, we'll walk you through the process of restricting access to API endpoints based on a user's role, also known as role-based access control (RBAC). RBAC is a powerful way to manage permissions and ensure that users can only access the resources and functionality they're authorized for.

Step 1: Set up User Roles

The first step is to define the different roles that users can have in your application. In Xano, you can add a new column to your users table to store the role information.

Open your Xano workspace and navigate to the users table.
Click the "+" button next to "Columns" to add a new column.
Name the column "role" and select the "Enum" data type.
Enter the role values you want to use, such as "admin", "member", and "guest".
Click "Save" to apply the changes.

Now, each user in your database will have a "role" column that can be set to one of the defined values.

Step 2: Implement Role-Based Access Control

With the user roles set up, you can now restrict access to specific API endpoints based on the user's role. We'll cover two methods: using the get record function and storing the user's role in the authorization token.

Method 1: Using `get record`

Create a new API endpoint or open an existing one.
Require user authentication by enabling the "User Authentication" option in the endpoint settings.
Add a get record request to retrieve the authenticated user's record from the users table, matching the id field with the auth.id value.
Use a stop and debug utility function to inspect the retrieved user record and their role.
Add a precondition to check if the user has the required role (e.g., user.role == 'admin'). If the condition is not met, return an "Access Denied" error message.
If the user has the required role, proceed with the desired functionality (e.g., querying data, updating records, etc.).

Here's an example of how the API endpoint might look:

// Get the authenticated user's record
const user = await get.record('users', {
 id: { equals: auth.id }
});

// Check if the user is an admin
if (user.role !== 'admin') {
 throw new Error('Access Denied: You must be an admin to access this resource.', { status: 403 });
}

// Proceed with the desired functionality
const records = await query.all('users');
return records;

Method 2: Storing the User's Role in the Authorization Token

Another approach is to store the user's role in the authorization token itself, which can be accessed using the auth.extras object.

Modify the "Log In" endpoint to include the user's role in the auth.extras object when generating the authorization token.
In the "Log In" endpoint, add the following code:

const user = await get.record('users', {
 email: { equals: input.email }
});

if (!user || !crypto.argon2.verify(user.password, input.password)) {
 throw new Error('Invalid email or password', { status: 401 });
}

const token = await auth.encode({ id: user.id }, {
 extras: { role: user.role }
});

return { token };

Similarly, update the "Sign Up" endpoint to assign a default role (e.g., "member") if no role is provided during sign-up.
In your API endpoint, access the user's role using auth.extras.role.
Implement the desired functionality based on the user's role.

Here's an example of how you can access the user's role from the authorization token:

const userRole = auth.extras.role;

if (userRole !== 'admin') {
 throw new Error('Access Denied: You must be an admin to access this resource.', { status: 403 });
}

// Proceed with the desired functionality
const records = await query.all('users');
return records;

Remember that when using the auth.extras approach, if you change a user's role in the database, the user will need to log in again to obtain a new authorization token with the updated role.

By following these steps, you can easily implement role-based access control in your Xano applications, ensuring that users can only access the resources and functionality they're authorized for based on their assigned roles.