Protect multiple endpoints/middleware over specific endpoints
Unanswered
Japanese jack mackerel posted this in #help-forum
Japanese jack mackerelOP
Im using AuthJS and i have certain endpoints that i want restricted to only those who have been verified as admins. to know whos an admin im using Discord API, where user will sign in, then when they make a request to an endpoint they pass along their bearer token. which then queries the discord api to find out what roles they have in my server, and if they have the admin role then the action is executed
Two questions:
firstly is there a way to wrap multiple endpoints in this logic? or would it be enough to just write a function that returns a bool that i call and pass their token to
secondly, is this how i should be using authjs to securely prevent a malicious actor from gaining admin access? with this implementation only way i think they could get admin access is if they got the bearer token of an admin
Two questions:
firstly is there a way to wrap multiple endpoints in this logic? or would it be enough to just write a function that returns a bool that i call and pass their token to
secondly, is this how i should be using authjs to securely prevent a malicious actor from gaining admin access? with this implementation only way i think they could get admin access is if they got the bearer token of an admin
1 Reply
Tomistoma
1. You can just create a custom function that does that, utilize RBAC then wrap your handlers. I don't think using middleware is recommended.
2. Yeah and that's it. If you're worried about someone getting the bearer token of an admin, then implement refresh tokens to avoid session hijacking. Refresh tokens replaces valid access tokens in a given time. I highly suggest looking into it.
2. Yeah and that's it. If you're worried about someone getting the bearer token of an admin, then implement refresh tokens to avoid session hijacking. Refresh tokens replaces valid access tokens in a given time. I highly suggest looking into it.