How to Securely Differentiate Admin and User Roles with NextAuth and Next.js?

115 views Asked by At

I'm working on implementing role-based access control in my Next.js application using NextAuth and this is my first time doing a login. I have a specific approach to distinguish between admin and user roles based on email addresses, but I'm concerned about the security implications. Here's my current setup:

import NextAuth from "next-auth/next";
import GoogleProvider, { GoogleProfile } from "next-auth/providers/google";

const handler = NextAuth({
    providers: [
        GoogleProvider({
            profile(profile: GoogleProfile) {
                return {
                    ...profile,
                    id: profile.sub,
                    role: process.env.ADMIN_EMAILS?.includes(profile.email) ? "admin" : "user",
                }
            },
            clientId: process.env.GOOGLE_CLIENT_ID as string,
            clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
        }),
    ],
    callbacks: {
        async jwt({ token, user }) {
            if (user) {
                token.role = user.role
            }
            return token
        },
        async session({ session, token, user }) {
            if (session?.user) session.user.role = token.role
            return session
        }
    }
})

I'm using the email address to determine whether a user is an admin or a regular user based on whether their email is in the process.env.ADMIN_EMAILS list.

My question is: Is this approach secure, or are there recommended improvements or best practices to enhance the security of this role differentiation?. I know I can do it with databases but I want to know if this way is safe too.

I would appreciate any insights or suggestions regarding the security of this setup and how to make it more robust.

0

There are 0 answers