Role-based Access Control (RBAC) User Authorization in Next.js

What is the good approach to change claims from a user and get changes in realtime ?

carlosricardoziegler

Perfect timing for me, This is what I need for my website now,
Do you have the videos of how you developed this chat app that you showed in the video?
Thank you <3

skillsvsdegree

Nice video! Thank you 😊

I am wondering why you don’t enable this feature by default, like Auth0 does, but we have to actually write a bunch of stuff in our project following a documentation page

nic_fontana

Let us all be real. This appraoch is the hardest. I followed the docs, And there is nothing.

SsaliJonathan

Thanks!
What if user could be part of multiple organizations and have different roles within them? Struggling with implementing this - will appreciate any advice.

nikitastriuk

Is there an update for the app router? I am trying to do this in the middleware but can't get it to work

hago

If custom claims still reads from the database, how is this faster than just using RLS directly?

jonathangamble

This is amazing been wanting to implement such functionality, nice to see a tutorial on this. Wonder if it works well with graphql too ?

tej__

Just tried using this approach adding a custom claim (is_admin) to the JWT in a NextJS 14 but it just keep running into an Error -> AuthApiError: Error invoking access token hook

belmo_

Hi @Supabase,
thanks for that. I have tweaked it so that I can use a helper function and trigger to control all my fields by the roles (I ignore permissions for now, it is way too much for my usecase).

But here is the thing: with your Custom Auth Hook when Impersonating the user right in your SupaBase Webapp to quick-checking things - it is just not working. I guess this impersonating stuff ignores to get the JWT which contains the custom Data from the Custom Auth Hook function that has to be called. When checking these things in my own app, I see that the Custom JWT is issued and all infos are there. Also my Policy setup is working. But not when impersonating. This is really pain when it comes to quick checking things right in your tool rather than having rapid implementations in the app itself.

Any comments on this?

martinl.

Great stuff, I was wondering what the Supabase team thinks of services like Cerbos for RBAC, ABAC

derekjwilliams

Supabase with drizzle ?
Or local dev ?

Tanner-czbd

Hi, i have used the same steps. Still i am not getting user_role in jwt, can someone help

sandeepyadav

Question how can I create custom access token if I deployed supabase in self hosting docker? I'm trying to create a Hook: Custom access token but I can't get it to work... Supabase I deployed in self-hosting version. The documentation says to add fields to config.toml I found it in supabase/supabase/config.toml . But as I understand it is not what I need. Question how can I create custom access token if I deployed supabase in self hosting docker ?

АлибекБилалов-ня

Does the impersonate method work correctly with this?

Imagine that we have two policies:
- one to get the user's own messages (individual select)
- one to get every message (for admin users)

I tried it and technically it works but it does not work when I'm impersonating... Is there anything missing? Does the auth hook run on impersonate?
I don't feel confident enough by testing these policies in development but not being able to test them using impersonate.

GabrielFernandes-bcse

Noob question: why a public.users table? Why not use auth.users?

zeeeeeman

nice 9:34 mins, how to learn more about it.

devdariill

Let's be honest, this video on is disappointing and not helpful.

Muyiwamighty