Authorization

This guide will help you get started with authorization in your SaaS app.

Authorization refers to what users can access in your app. This is useful for differentiating between users who have paid for different subscription tiers (e.g. "hobby" vs "pro"), or between users who have admin privileges and those who do not.

Authorization differs from authentication in that authentication refers to the process of verifying that a user is who they say they are (e.g. logging in with a username and password).

To learn more about the different types of user permissions built into this SaaS template, check out the User Permissions Reference.

Server-side Authorization

Authorization on the server-side is the core of your access control logic, and determines what users actually can or can’t do (unlike client-side authorization logic which is there merely for UX).

BoilerPro comes with 3 different level of Authorization for server side APIs:

1. Public: This is the default level of authorization. It allows anyone to access the API.
2. Authenticated: This level of authorization requires a user to be logged in to access the API.
3. isAdmin: This level of authorization requires a user to have the Admin role to access the API.

You can control which API is public, authenticated, or isAdmin by looking at which method you use to create the API in AWS CDK:

// This is a public API
this.createPublicEndpoint(endpoint, method, lambdaFunction);
 
// This is an authenticated API
this.createAuthenticatedEndpoint(endpoint, method, lambdaFunction);
 
// This is an isAdmin API
this.createAdminAuthorizedEndpoint(endpoint, method, lambdaFunction);

The table on DynamoDB contains a isAdmin field that you can use to control what users can and cannot access.

Client-side Authorization

The Nextjs App comes with a custom hook called useAuth that you can use to check if a user is logged in, if they are an admin, and if they are authenticated.

import { useAuth } from "@/hooks/useAuth";
 
const { user, isLoggedIn, isLoading } = useAuth();