one.ilmsg.in.th

⛪ Home
📚 book Think and Grow Rich
📚 book Rich Dad Poor Dad
📚 book The Power of Now
👻 book Getting Things Done (GTD)
👻 book Make Your Bed
🤖 book The 4-Hour Workweek
🤖 book Who Moved My Cheese?
🤖 book Deep Work
🤖 book How to Stop Worrying and Start Living
🤖 book Act Like a Lady, Think Like a Man
🤖 book The 7 Habits of Highly Effective People
😊 book Take back your time
🤖 book The 5 Second Rule
🤖 book The 5 Second Rule
🐕 book Data Structures & Algorithms Cheat Sheet
💬 book Chart Cheat Sheet
💬 book 8 Disciplines
💬 book Get Your Shit Together
💬 book Data Analyst
👻 book The $100 Startup
🕌 book 8 ข้อคิดจากหนังสือ The Startup Mindset
💬 book Disrupt Yourself
💬 book How to Read Any Room
💬 book Atomic Habits
💬 book หนังสือการเงิน 7 เล่ม
💬 book เคียร์เคอการ์ด ฉบับกระชับ
😺 book Startup Mindset
😊 idea (RBAC) in Next.js
😊 idea Concurrency in Go Web Applications
😊 idea best practices for multi tenant authorization
🎃 idea Your Money or Your Life
😊 idea Master The Art of Negotiation
😊 idea การรับมือกับความท้าทายในชีวิต
📌 idea Die With Zero
🎃 idea The Millionaire Fastlane
🤖 info How to learn anything 5x faster
🤖 tech Key Performance Indicators - KPIs
🤖 tech Frontend Performance Cheatsheet
🐡 tech Next.js ร่วมกับ gray-matter
📚 tech 6 Key Business Frameworks Matrix
📚 tech Chapter 01
😊 tech Concurrency in Go Web Applications
🐕 tech Essential Python Libraries for Data Science in 2025!
👋 tech Prompt Engineering Techniques
💨 tech TodoList ด้วย React, TypeScript, Firestore และ DaisyUI
🕌 tech The Ultimate API Learning Roadmap
👋 tech show me the cat
🐷 tech Running Lean
🦁 tech Cheatsheet On Database Performance
👻 tech Data Analytics
👻 tech Chapter 02
📌 tech One-Page Business Plan
🌟 tech วิธีทำน้ำอบไทย

(RBAC) in Next.js

Okay, here's a detailed summary of the video about implementing Role-Based Access Control (RBAC) in Next.js using Kinde:

1. Introduction: Authentication vs. Authorization (RBAC)

The video distinguishes between Authentication (verifying who a user is, e.g., logging them in) and Authorization (determining what an authenticated user is allowed to do).
RBAC (Role-Based Access Control) is presented as the core concept for authorization in this context. It involves assigning roles (like "basic user" or "support agent") to users, and these roles dictate their permissions.

2. Example Scenario: Support Ticket System

A simple support ticket system application built with Next.js is used as the example.
Goal: Allow any logged-in user to submit a ticket, but only allow users with a "support agent" role to view all submitted tickets.

3. Authentication Flow (Using Kinde)

Initially, the user is not logged in.
Attempting to access a protected route (like /submit-ticket) redirects the user to a login page hosted by Kinde (an external authentication provider).
The user logs in (in the demo, using GitHub via Kinde).
After successful authentication, Kinde redirects the user back to the application, now authenticated.

4. Basic User Experience & Permissions

Once logged in as a basic-user:
- They can access the /submit-ticket page.
- The UI (header/navbar) updates to show their logged-in status (email) and potentially links relevant to their role (e.g., "Submit ticket").
- They can successfully submit a new ticket using a form, which triggers a server action to save the data to the database.

5. Authorization Demonstration: Denying Access

The basic-user does not see a link to the /tickets page (where all tickets are listed).
If the basic-user manually tries to navigate to /tickets, the application checks their permissions and displays an "Access denied" message because they lack the required authorization (permission or role) to view all tickets.

6. Kinde Dashboard for RBAC Management

The video showcases the Kinde dashboard where user management, roles, and permissions are configured.
Permissions: Granular actions are defined as permissions (e.g., create:ticket, view:ticket, answer:ticket, delete:ticket). These are typically named using a verb:resource pattern.
Roles: Roles are created (e.g., basic-user, support-agent) which group multiple permissions together.
- The basic-user role is assigned only the create:ticket permission.
- The support-agent role is assigned all permissions (create:ticket, view:ticket, answer:ticket, delete:ticket).
User Assignment: Users are assigned specific roles via the Kinde dashboard. The video demonstrates changing the demo user's role from basic-user to support-agent.

7. Authorization Demonstration: Granting Access

After the user's role is updated to support-agent in Kinde and they log in again (to refresh their token/session):
- They can now successfully access the /tickets page.
- The UI (header/navbar) now shows the "Tickets" link.
- Their displayed role might also update to support-agent.

8. Implementing RBAC in Next.js Code (Using Kinde SDK)

Setup: Requires installing the Kinde Next.js SDK, setting up environment variables, and creating a Kinde API route handler for authentication callbacks.
Server-Side Checks: The core logic happens on the server side (Server Components, Server Actions, Route Handlers).
- getKindeServerSession(): This function from the Kinde SDK is used to get the current user's session information on the server.
- isAuthenticated(): Checks if the user is logged in (Authentication). Used to protect routes/actions from unauthenticated access.
- getPermission('permission_key'): Checks if the logged-in user has a specific permission (e.g., getPermission('view:ticket')). Returns an object indicating if access is granted. Used for fine-grained Authorization checks.
- getClaim('roles'): Retrieves the roles assigned to the user (requires configuring Kinde to add roles to the access token). Can be used for role-based checks instead of permission-based checks.
- getUser(): Gets details about the logged-in user (like email).
Protecting Routes/Pages: Check isAuthenticated() and potentially getPermission() at the beginning of the page component. If checks fail, use Next.js's redirect() to send the user to the login page or an access denied page.
Protecting Server Actions: Perform authentication and authorization checks inside the server action function before interacting with the database or performing sensitive operations.
Conditional UI Rendering: Use the session/permission information fetched on the server to conditionally render UI elements (like navbar links) based on whether the user should see them.

9. Key Takeaways

RBAC provides granular control over what users can do.
Protecting server-side logic (especially database interactions in Server Actions and Server Components) is the most critical aspect of security. Client-side UI hiding is secondary.
Tools like Kinde simplify the management of users, roles, permissions, and the authentication flow.
Permissions are generally preferred over roles for checks in the code as they are more specific and less likely to break if role structures change.
Be mindful of token expiration and refresh mechanisms, as changes made in the Kinde dashboard (like revoking roles/permissions) might not reflect instantly in the user's current session due to token caching (especially with JWT strategies).