Role-Based Access Control
This guide shows how to add roles to your gau setup.
- Roles are stored in the
Usertable in the database. - On first sign-in, you can set a role via
roles.defaultRoleor compute one withroles.resolveOnCreate. - The session returned by
getSession()includesuser.role(if stored) and a deriveduser.isAdminflag.
Add role to your User table
Section titled “Add role to your User table”Add a role column. You can constrain values if you want.
import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
export const Users = sqliteTable('users', { // ... role: text().$type<'admin' | 'user'>().default('user'),})import { pgTable, text } from 'drizzle-orm/pg-core'
export const Users = pgTable('users', { // ... role: text().$type<'admin' | 'user'>().default('user'),})Configuration
Section titled “Configuration”See roles.
These are all optional, by default user is the default role, adminRoles is ['admin'], and adminUserIds is [].
import { createAuth } from '@rttnd/gau/core'
export const auth = createAuth({ // ... roles: { defaultRole: 'user', resolveOnCreate({ providerId, profile }) { // Example: return profile.email === 'admin@example.com' ? 'admin' : 'user' }, adminRoles: ['admin'], adminUserIds: ['1234567890'], },})On first sign-in, resolveOnCreate is called. If it returns a role, it’s used; otherwise defaultRole.
Every validated session sets user.isAdmin based on roles.adminRoles and roles.adminUserIds. The flag defaults to false when no rule matches.
Use roles on the server
Section titled “Use roles on the server”Authorize in your route handlers/middleware using session.user?.isAdmin.
Remote functions
Section titled “Remote functions”import { getRequestEvent, query } from '$app/server'import { error } from '@sveltejs/kit'
export const getSession = query( async () => { const event = getRequestEvent() const session = await event.locals.getSession()
if (!session.user?.isAdmin) error(403, 'Forbidden')
return session },)Load functions
Section titled “Load functions”import type { PageLoad } from './$types'import { error } from '@sveltejs/kit'
export const load: PageLoad = async (event) => { const session = await event.locals.getSession()
if (!session.user?.isAdmin) error(403, 'Forbidden')
return session}API routes
Section titled “API routes”import type { RequestHandler } from './$types'import { error } from '@sveltejs/kit'
export const GET: RequestHandler = async (event) => { const session = await event.locals.getSession()
if (!session.user?.isAdmin) error(403, 'Forbidden')
return session}Server functions
Section titled “Server functions”import { query } from '@solidjs/router'import { getRequestEvent } from 'solid-js/web'
export const getSession = query(async () => { const event = getRequestEvent() const session = await event.locals.getSession()
if (!session.user?.isAdmin) throw new Error('Forbidden')
return session})API routes
Section titled “API routes”import type { APIHandler } from '@solidjs/start/server'
export const GET: APIHandler = async (event) => { const session = await event.locals.getSession()
if (!session.user?.isAdmin) return new Response('Forbidden', { status: 403 })
return session}