Nextjs user invitation to dashboard help
Answered
In&Out posted this in #help-forum
In&OutOP
Hey folks, im currently making a wordpress type of CMS with nextjs and supabase, and im making a dashboard for it. What i want to do is, when i make dashboard, i can go to, like /editors page where i can make an account with email, password and name, then when you login with that email and password, you will have access to my dashboard and will be able to do everything like owner can except add more editors, i have everything already done except access, i dont know how to make it possible so that new user has access to my dashboard and can make content and stuff like that
Answered by Rohit | Lucifer
You can use RBAC(role based access control), you might be using sone database and backend, maybe a a custom or nextjs server itself. When as a super admin you create a user, save them in the DB. The person when logs in with those credentials you check your DB for that record and verify the user, with their role and set a role cookie for them in order to check if the user has proper role to create new users.
Now let's say if the user tries to change the cookie manually and hit the request, that's where you do a second level check on your backend to ensure that the role of the user matches the role stored in the DB, this can be done easily as all the tokens are sent in the request. If the cookie doesn't match the user actual role from the DB you reject the request and reset the cookie to their original value.
Bonus tip: You can use middleware to protect the /editors route based on the user role stored in the cookie.
Now let's say if the user tries to change the cookie manually and hit the request, that's where you do a second level check on your backend to ensure that the role of the user matches the role stored in the DB, this can be done easily as all the tokens are sent in the request. If the cookie doesn't match the user actual role from the DB you reject the request and reset the cookie to their original value.
Bonus tip: You can use middleware to protect the /editors route based on the user role stored in the cookie.
3 Replies
In&OutOP
anyone?
You can use RBAC(role based access control), you might be using sone database and backend, maybe a a custom or nextjs server itself. When as a super admin you create a user, save them in the DB. The person when logs in with those credentials you check your DB for that record and verify the user, with their role and set a role cookie for them in order to check if the user has proper role to create new users.
Now let's say if the user tries to change the cookie manually and hit the request, that's where you do a second level check on your backend to ensure that the role of the user matches the role stored in the DB, this can be done easily as all the tokens are sent in the request. If the cookie doesn't match the user actual role from the DB you reject the request and reset the cookie to their original value.
Bonus tip: You can use middleware to protect the /editors route based on the user role stored in the cookie.
Now let's say if the user tries to change the cookie manually and hit the request, that's where you do a second level check on your backend to ensure that the role of the user matches the role stored in the DB, this can be done easily as all the tokens are sent in the request. If the cookie doesn't match the user actual role from the DB you reject the request and reset the cookie to their original value.
Bonus tip: You can use middleware to protect the /editors route based on the user role stored in the cookie.
Answer
@Rohit | Lucifer You can use RBAC(role based access control), you might be using sone database and backend, maybe a a custom or nextjs server itself. When as a super admin you create a user, save them in the DB. The person when logs in with those credentials you check your DB for that record and verify the user, with their role and set a role cookie for them in order to check if the user has proper role to create new users.
Now let's say if the user tries to change the cookie manually and hit the request, that's where you do a second level check on your backend to ensure that the role of the user matches the role stored in the DB, this can be done easily as all the tokens are sent in the request. If the cookie doesn't match the user actual role from the DB you reject the request and reset the cookie to their original value.
Bonus tip: You can use middleware to protect the /editors route based on the user role stored in the cookie.
In&OutOP
yeah, seems i had to wait bit more before asking the question since i figured it out lol, but figured in a way you said, thank you