https://serverless-stack.com/ logo
#sst
Title
# sst
j

Joel Corona

09/16/2021, 1:50 PM
Hi devs, how do you implement RBAC?
t

thdxr

09/16/2021, 2:06 PM
RBAC in your application?
j

Joel Corona

09/16/2021, 2:07 PM
users in db have a role, would like to allow certain roles per endpoint
t

thdxr

09/16/2021, 2:10 PM
I'm curious about this as well
j

Joel Corona

09/16/2021, 2:11 PM
I thought about managing it with a custom authorizer, but I can't find a way to make it dynamic per endpoint.
o

Omi Chowdhury

09/16/2021, 2:49 PM
Yeah you’d need a mapping between routes and roles inside the authorizer to do it in there. Currently I use
graphql-shield
with apollo. The last REST API I did had individual lambdas for each endpoint/method. For that one I created a shared auth lib. It had two modes - for admin and user functionality. Admin auth was a function that when called it • checked you had the admin role on the request object (admin role was stored on the jwt via auth0) • threw an exception if you weren’t an admin User auth took in a async check function as a parameter. When called it’d: • retrieve the user from the DB (unless it was already attached to the request object) • run the check function, with the user as a parameter (since this function is passed in, it has access to the closure of the calling code, so it can check
entity.owner === user.id
etc). Could also make its own db calls if needed, but usually the data needed to authorise had to be loaded by the handler anyway. Check function must return true • throw an exception is user isn’t found or check function returns not true
d

Drew

09/17/2021, 1:21 AM
We have roles coded into our app right now. The users get the role in our database. The actions allowed by the role are defined in a code. The lambda endpoints check if the user’s role has permissions. It works. However, our configuration is a bit too rigid, and mostly it just means that we end up granting permissions over and over again. I’m curious about opensource solutions, google zanzibar, and/or oso. https://www.osohq.com/
o

Omi Chowdhury

09/17/2021, 1:23 AM
Met a founder from this startup that’s building a saas solution to this: https://www.govista.io/#/
j

Jay

09/18/2021, 2:30 AM
Another startup to throw in the mix https://authzed.com