I'm working on implementing role-based access control in my Next.js application using NextAuth and this is my first time doing a login. I have a specific approach to distinguish between admin and user roles based on email addresses, but I'm concerned about the security implications. Here's my current setup:
import NextAuth from "next-auth/next";
import GoogleProvider, { GoogleProfile } from "next-auth/providers/google";
const handler = NextAuth({
providers: [
GoogleProvider({
profile(profile: GoogleProfile) {
return {
...profile,
id: profile.sub,
role: process.env.ADMIN_EMAILS?.includes(profile.email) ? "admin" : "user",
}
},
clientId: process.env.GOOGLE_CLIENT_ID as string,
clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
}),
],
callbacks: {
async jwt({ token, user }) {
if (user) {
token.role = user.role
}
return token
},
async session({ session, token, user }) {
if (session?.user) session.user.role = token.role
return session
}
}
})
I'm using the email address to determine whether a user is an admin or a regular user based on whether their email is in the process.env.ADMIN_EMAILS list.
My question is: Is this approach secure, or are there recommended improvements or best practices to enhance the security of this role differentiation?. I know I can do it with databases but I want to know if this way is safe too.
I would appreciate any insights or suggestions regarding the security of this setup and how to make it more robust.