need help regarding permissions
Unanswered
Red wood ant posted this in #help-forum
Red wood antOP
Hi,
so i have a problem regarding permissions i have lot of permissions which size is 130kb and since cookie size limit is 4kb and im checking in the middleware what is the best practice to tackle this issue?
so i have a problem regarding permissions i have lot of permissions which size is 130kb and since cookie size limit is 4kb and im checking in the middleware what is the best practice to tackle this issue?
25 Replies
not sure how you are storing permissions but how about using bitwise operations to store permissions
Red wood antOP
im using like this ['can_view_dashboard',etc....]
@Red wood ant im using like this ['can_view_dashboard',etc....]
yea checkout bitwise permissions
so instead of storing array of strings, you just store a number and perform bitwise operation to get true or false given the permission
@Yi Lon Ma yea checkout bitwise permissions
Red wood antOP
but it can make us prone to error more
how
we are using that in production at work along with many other companies like discord
@Yi Lon Ma how
Red wood antOP
if i misplaced number 1 i can grant the user a permission accidently
uhhh
you don't write numbers yourself lol
gimme a moment
// Define permission constants using bit shifting
const PERMISSION_READ = 1 << 0; // 00000001 (1)
const PERMISSION_WRITE = 1 << 1; // 00000010 (2)
const PERMISSION_EXECUTE = 1 << 2; // 00000100 (4)
const PERMISSION_DELETE = 1 << 3; // 00001000 (8)
// Function to check if a permission is granted
function hasPermission(permissions, permissionToCheck) {
return (permissions & permissionToCheck) === permissionToCheck;
}
// Function to grant a permission
function grantPermission(permissions, permissionToGrant) {
return permissions | permissionToGrant;
}
// Function to revoke a permission
function revokePermission(permissions, permissionToRevoke) {
return permissions & ~permissionToRevoke;
}
// Example usage:
let userPermissions = PERMISSION_READ; // Initial permission: READ onlyinstead of creating new variable for each permission, use object
const permission = {
read:1<<0,
write:1<<1,
update:1<<2,
delete: 1<<3
}then do stuff like
grantPermissions(currentPermission,permission.delete)
hasPermission(currentPermissions,permission.delete)Red wood antOP
this will take much more time because i've already built the backend to return string and i don't want to re-write everything from the scratch can you suggest something else?
my main problem is that im doing all the checking in the middleware and i used localstorage i can't access it in the middleware
my main problem is that im doing all the checking in the middleware and i used localstorage i can't access it in the middleware
Roseate Spoonbill
1. In cookie store only session token (like JWT)
2. Retrieve permissions when rendering page and act accordingly (so don't store them in cookies at all)
3. Use middleware for simple checks (e.g. session cookie missing -> redirect to login), but don't make it the only place where check happens, because middleware can be ommitted when making requessts.
2. Retrieve permissions when rendering page and act accordingly (so don't store them in cookies at all)
3. Use middleware for simple checks (e.g. session cookie missing -> redirect to login), but don't make it the only place where check happens, because middleware can be ommitted when making requessts.
Red wood antOP
@Roseate Spoonbill where should i check for roles if my roles are too big to be stored in cookies?
Roseate Spoonbill
on the page itself, and/or when accessing protected data. You can also pass it down as props
async function DashboardPage() {
const cookieStore = await cookies()
const token = cookieStore.get('session-token');
const user = await getUserFromDB(token); // or whatever custom logic you have to access user info
const permissions = user.permissions;
if(!permissions.can_access_dashboard) {
notFound();
}
// Render actual page here
// ...
}@Roseate Spoonbill on the page itself, and/or when accessing protected data. You can also pass it down as props
javascript
async function DashboardPage() {
const cookieStore = await cookies()
const token = cookieStore.get('session-token');
const user = await getUserFromDB(token); // or whatever custom logic you have to access user info
const permissions = user.permissions;
if(!permissions.can_access_dashboard) {
notFound();
}
// Render actual page here
// ...
}
Red wood antOP
I don’t want to do that i want to check the permission on middleware only
Roseate Spoonbill
@Red wood ant I understand your sentiment, and I wish there was centralized way of dealing with this, but there isn't, and if there is, middleware isn't it.
This is not what middleware is for. It's detached from the rest of the application and meant to be running on edge. It does not protect anything directly, and this is why it's not safe to use as the only place auth checks are performed. It's good for early auth check (redirect to login etc), but not good for protection.
This is not what middleware is for. It's detached from the rest of the application and meant to be running on edge. It does not protect anything directly, and this is why it's not safe to use as the only place auth checks are performed. It's good for early auth check (redirect to login etc), but not good for protection.
you should avoid checking permissions just in middleware, especially after the recent vuln disclosure
@Yi Lon Ma you should avoid checking permissions just in middleware, especially after the recent vuln disclosure
Roseate Spoonbill
Yup. The vulnerability was fixed, and it was vulnerability only because they miscommunicated about what that the middleware should and shouldn't be used for. I don't believe it was meant for such use case ever, just misdirected people in documentation. But the team did adjusted the docs, so that it doesn't mention authentication as use case, even early one.
And it all makes sense, because if this is your edge middleware, then the main app is somewhere central, and if it is, it can be accessed without middleware somehow (because middleware accesses it somehow).
And it all makes sense, because if this is your edge middleware, then the main app is somewhere central, and if it is, it can be accessed without middleware somehow (because middleware accesses it somehow).