AdonisJS provides a standard way to define a middleware and enable access to routes based on defined validation rules. This middleware is leveraged to allow role-based access to routes.
routes.js file will have something akin to below -
First, we will group routes for the different roles and introduce the middleware.
loginmethods are available to unauthenticated and authenticated users
- To do
indexare available only to authenticated users.
authis provided by AdonisJS
- Deleting to do is allowed only for admin
Now, we write the actual middleware for
admin.js file in
Middleware folder under root. Introduce the following code -
What happens when a user tries to access the
delete route -
- Adonis executes the
authpasses ok if user is authenticated
adminchecks if the
user.role_cd, a custom field, has the value ‘admin’. If this does not check out, an exception is thrown
InvalidAccessExceptionis a custom exception that returns a
404with a custom message (see [custom exceptions in Adonis)(/custom-exceptions-in-adonisjs/)
In a previous post we had a short discussion on implementing access rules in Adonis based on roles. Should you implement that vs. implementing the above in routes?
Well - it depends.
- If the entire route is cordoned off to roles, you have a cleaner approach using role-based validation at the route level.
- For everything else, let your controller take the lead for role-based authentication
In the real world, you would want to implement a separate service for role-based auth. This service can be called by your route middleware, or your controllers depending on your use case.