Role-Based Access Control
This guide shows how to add roles to your gau
setup.
- Roles are stored in the
User
table in the database. - On first sign-in, you can set a role via
roles.defaultRole
or compute one withroles.resolveOnCreate
. - The session returned by
getSession()
includesuser.role
when your adapter returns it.
Add role
to your User table
Section titled “Add role to your User table”Add a role
column. You can constrain values if you want.
import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
export const Users = sqliteTable('users', { // ... role: text().$type<'admin' | 'user'>().default('user'),})
import { pgTable, text } from 'drizzle-orm/pg-core'
export const Users = pgTable('users', { // ... role: text().$type<'admin' | 'user'>().default('user'),})
Configuration
Section titled “Configuration”See roles.
These are all optional, by default user
is the default role, adminRoles
is ['admin']
, and adminUserIds
is []
.
import { createAuth } from '@rttnd/gau/core'
export const auth = createAuth({ // ... roles: { defaultRole: 'user', resolveOnCreate({ providerId, profile }) { // Example: return profile.email === 'admin@example.com' ? 'admin' : 'user' }, adminRoles: ['admin'], adminUserIds: ['1234567890'], },})
On first sign-in, resolveOnCreate
is called. If it returns a role, it’s used; otherwise defaultRole
.
Use roles on the server
Section titled “Use roles on the server”Authorize in your route handlers/middleware using session.user?.role
.
Remote functions
Section titled “Remote functions”import { getRequestEvent, query } from '$app/server'import { error } from '@sveltejs/kit'
export const getSession = query( async () => { const event = getRequestEvent() const session = await event.locals.getSession()
if (session.user?.role !== 'admin') error(403, 'Forbidden')
return session },)
Load functions
Section titled “Load functions”import type { PageLoad } from './$types'import { error } from '@sveltejs/kit'
export const load: PageLoad = async (event) => { const session = await event.locals.getSession()
if (session.user?.role !== 'admin') error(403, 'Forbidden')
return session}
API routes
Section titled “API routes”import type { RequestHandler } from './$types'import { error } from '@sveltejs/kit'
export const GET: RequestHandler = async (event) => { const session = await event.locals.getSession()
if (session.user?.role !== 'admin') error(403, 'Forbidden')
return session}
Server functions
Section titled “Server functions”import { query } from '@solidjs/router'import { getRequestEvent } from 'solid-js/web'
export const getSession = query(async () => { const event = getRequestEvent() const session = await event.locals.getSession()
if (session.user?.role !== 'admin') throw new Error('Forbidden')
return session})
API routes
Section titled “API routes”import type { APIHandler } from '@solidjs/start/server'
export const GET: APIHandler = async (event) => { const session = await event.locals.getSession()
if (session.user?.role !== 'admin') return new Response('Forbidden', { status: 403 })
return session}