Authentication and Authorization

The process of is fairly simple using a few tools on the front and backend. But let's start with some concepts that carry across both first.

Roles

Each user can be assigned zero or one role. The role object contains permission flags that determine the access level of the user. Users with no role don't have access to anything. Users with the isAdmin permission have full access. The rest of the permissions are listed here:

  • isAdmin
  • canAccessPersonalData
  • canManageUsers
  • canManageEvents
  • canManageTickets
  • canManageOrders
  • canManageProducts
  • canManageStaff
  • canManageInventory
  • canManageNews
  • canManageBingo
  • canManageRoles
This list updates automatically

Roles are stored in the database and not fixed. They can be managed from the admin panel.

MFA

We offer the possibility to use MFA. The implementation has the caveat that a user with MFA enabled might have a session already, but is not authenticated yet. So please don't use the existence of a session has confirmation that the user is logged in fully.

Server tools

Context

The first step to building proper authentication and authorization is to fetch the correct data from the context. There are two useful variables in the context:

authenticatedUser

This is the user that is logged in. This will be undefined until the user is fully authenticated including MFA.

isAuthenticated

Indicates that someone is logged in in the current context. You can use this,

How to use the context

The easiest way is to use the permissionCheck function. This function will check, if the given user is defined and has all the roles listed or is an admin. If the user doesn't meet the criteria the function will throw an UNAUTHORIZED error. Here is a full sample of what a secured endpoint on the server might look like:

On the web

On all our websites the auth state is managed with the SessionStore. It is provided on the root level and can be injected into any page / component. To get the currently logged in user you can simply do this:

In most cases however you don't want to even allow access to the page. For that we have defined two guards:

  • isLoggedIn: Simply checks, if there is a authenticated user
  • hasPermission([]): Checks, if the user has the given permissions. Works the same as the permissionCheck function

Adding more permissions

Adding more permissions is also simple and can be done in a few steps:

  1. Add a new permission flag to the Role database table using Prisma.
  2. Adjust the API definition of the Role type in libs\app\user\common\role.ts.
  3. Add the permission to the correct roles using the admin panel.
  4. Congrats! Thats it.