Checking permissions from external APIs, then set cookies if needed
Unanswered
Yellowhead catfish posted this in #help-forum
Yellowhead catfishOP
Hello, I've been stuck on a problem for a few days and I'd like to do this the right way, avoiding workarounds. I'm not sure if I'm doing it right, but here's my use case:
I have certain routes that I need to decide whether or not to display on the server side. To do this, I have a requirePermission method that checks whether the user returned from the API has the necessary permissions. In a context where AT and RT are OK, everything works as expected:
When the “access_token” cookie expires, requirePermission:
-> calls /api/proxy/user/me
-> the proxy calls /user/me on the external API = 401
-> the proxy attempts to refresh the AT = 200
-> the proxy calls /user/me on the external API = 200
requirePermission receives the correct permissions, accepts and displays the layout, but the AT and RT are not updated in the browser cookies, so any refresh disconnects me and client-side API requests return 401.
I can't seem to link the two. I've read a lot of documentation and checked open source repositories, but I haven't really found an answer to my question, and I get the impression that everyone does it differently.
Thank you for your help.
*apps/web/src/app/api/proxy/[...path]/route.ts is attached. Sorry for the comments, but I'm stuck on this problem and have tried everything.
I have certain routes that I need to decide whether or not to display on the server side. To do this, I have a requirePermission method that checks whether the user returned from the API has the necessary permissions. In a context where AT and RT are OK, everything works as expected:
//
// export default async function DashboardLayout({ children }: DashboardLayoutProps) {
// await requirePermission(Permission.Administrator);
// return </>
// }
‘use server’;
export async function requirePermission(required: keyof typeof Powers, redirectTo = ‘/beta’) {
const cookieStore = await cookies();
console.log(`[auth.utils] Checking required permission: ${required}`);
const res = await fetch(`${process.env.NEXT_PUBLIC_APP_URL}/api/proxy/user/me`, {
method: ‘GET’,
credentials: ‘include’,
cache: ‘no-store’,
headers: {
cookie: cookieStore.toString(),
},
});
if (!res.ok) redirect(redirectTo);
const data = (await res.json()) as GetUserMeResponse200;
if (!data.data.roles) redirect(redirectTo);
const permissions = extractPermissions(data.data.roles);
return hasPermission(permissions, required);
}When the “access_token” cookie expires, requirePermission:
-> calls /api/proxy/user/me
-> the proxy calls /user/me on the external API = 401
-> the proxy attempts to refresh the AT = 200
-> the proxy calls /user/me on the external API = 200
requirePermission receives the correct permissions, accepts and displays the layout, but the AT and RT are not updated in the browser cookies, so any refresh disconnects me and client-side API requests return 401.
I can't seem to link the two. I've read a lot of documentation and checked open source repositories, but I haven't really found an answer to my question, and I get the impression that everyone does it differently.
Thank you for your help.
*apps/web/src/app/api/proxy/[...path]/route.ts is attached. Sorry for the comments, but I'm stuck on this problem and have tried everything.
2 Replies
Milkfish
ur setup is a bit convoluted ngl
Same issue