dev-resources.site
for different kinds of informations.
Nuxt Authorization: How to Implement Team Role-Based Access Control in Nuxt 3
Published at
12/4/2024
Categories
nuxt
typescript
prisma
authjs
Author
tanay
Author
5 person written this
tanay
open
If you're building a multi-tenant SaaS in Nuxt 3, you'll need a robust permissions system.
Here's how I built a type-safe RBAC system that scales from small teams to enterprise, using Prisma and tRPC.
The Stack
- nuxt-authorization for defining abilities
- Prisma for the database layer
- tRPC for type-safe API calls
- Works with any auth provider (sidebase/nuxt-auth in this example)
Basic Setup
First, install the authorization module:
pnpx nuxi@latest module add nuxt-authorization
Client-Side Authorization
Set up a plugin to resolve the user on the client:
export default defineNuxtPlugin({
name: "authorization-resolver",
parallel: true,
setup() {
return {
provide: {
authorization: {
resolveClientUser: () => useAuth().data.value?.user,
},
},
};
},
});
Server-Side Authorization
Similarly for the server:
import { getServerSession } from "#auth";
export default defineNitroPlugin((nitroApp) => {
nitroApp.hooks.hook("request", async (event) => {
event.context.$authorization = {
resolveServerUser: async () => {
return (await getServerSession(event))?.user;
},
};
});
});
Defining Type-Safe Abilities
Here's how we define shared abilities that work on both client and server:
interface User {
id: string;
teams?: string[];
permissions?: Record<string, string[]>;
}
const hasTeamPermission = (
user: User | null,
teamId: string,
permission: string,
): boolean =>
!!user?.teams?.includes(teamId) &&
(user?.permissions?.[teamId] || []).includes(permission);
export const listTeams = defineAbility(() => true);
export const getTeamDetails = defineAbility(
(user: User, teamId: string) => !!(teamId && user?.teams?.includes(teamId)),
);
export const updateTeamDetails = defineAbility(
(user: User | null, teamId: string) =>
hasTeamPermission(user, teamId, PERMISSIONS.TEAMS.UPDATE),
);
Database Schema
Your Prisma schema needs to support roles and permissions:
model TeamMembership {
id String @id @default(cuid())
role Role @relation(fields: [roleId], references: [id])
// [...]
}
model Role {
id String @id @default(cuid())
teamId String?
name String
description String?
isDefault Boolean @default(false)
isSystemRole Boolean @default(false)
permissions Permission[]
// [...]
}
model Permission {
id String @id @default(cuid())
title String
description String?
action String
roleId String
// [...]
}
Using Abilities in Components
Check permissions in your Vue components:
<Can :ability="deleteTeamAbility" :args="[team?.id || '']">
<!-- Protected content here -->
</Can>
Type-Safe API Authorization
Create a tRPC procedure for checking abilities:
export const abilityProcedure = protectedProcedure.use(async (opts) => {
const { ctx } = opts;
return opts.next({
ctx: {
...ctx,
allows: async function allow<Ability extends BouncerAbility<any>>(
ability: Ability,
...args: BouncerArgs<Ability>
) {
return await allows(ctx.event, ability, ...args);
},
authorize: async function auth<Ability extends BouncerAbility<any>>(
ability: Ability,
...args: BouncerArgs<Ability>
) {
try {
await authorize(ctx.event, ability, ...args);
} catch (error) {
throw new TRPCError({
code: "FORBIDDEN",
message: error instanceof Error ? error.message : "Not authorized",
});
}
},
},
});
});
Use it in your API routes:
{
get: abilityProcedure
.input(
z.object({
teamIdentifier: z.string(),
}),
)
.query(async ({ ctx: { authorize, user, prisma }, input }) => {
await authorize(getTeamDetails, team.id);
// Protected logic here
}),
}
Why this works well
- Fully type-safe from database to UI
- No external authorization service needed
- Works seamlessly with any auth provider
- Scales from simple to complex permission structures
Try it yourself
Want to see this RBAC system in action? This exact implementation is part of my Nuxt SaaS boilerplate.
If you're building a multi-tenant SaaS, check it out—it comes with everything you need: type-safe APIs using tRPC, team management, authentication, billing, and more. Every feature is built with the same attention to developer experience as this permissions system.
prisma Article's
30 articles in total
How to Fix the “Record to Delete Does Not Exist” Error in Prisma
read article
Building Type-Safe APIs: Integrating NestJS with Prisma and TypeScript
read article
Deploying an Existing Express API + Prisma + Supabase Project to Vercel
read article
Exploring the Power of Full-Stack Development with Next.js and Prisma
read article
How to integrate GitHub CopilotKit with Prisma Integration into your nextJs project Using OpenAI
read article
วิธีทำ Auth API ด้วย Express, JWT, MySQL และ Prisma
read article
Prisma
read article
How we built "Space-Ease" using Next.js
read article
Query Objects Instead of Repositories: A Modern Approach to Data Access
read article
Common Data Loss Scenarios & Solutions in Prisma Schema Changes
read article
How I Solved Common Prisma ORM Errors: Debugging Tips and Best Practices
read article
Prisma 101 baby.
read article
Prisma
read article
QueryBuilder in Action Part 1
read article
Prisma ORM: Revolutionizing Database Interactions
read article
Prisma & MongoDB: server to be run as a replica set
read article
Using GenAI to Tackle Complex Prisma Model Migrations
read article
When Embedded AuthN Meets Embedded AuthZ - Building Multi-Tenant Apps With Better-Auth and ZenStack
read article
Building Multi-Tenant Apps Using StackAuth's "Teams" and Next.js
read article
The Most Awaited Prisma Course Is Here! 😍
read article
**Building a Full-Stack Next.js Starter Kit: Authentication, GraphQL, and Testing**
read article
Integrate DAYTONA and let the magic begin....
read article
Cloudflare D1 and Prisma: Not a Good Combination (For Now)
read article
Resolving the `DO $$` Issue in Drizzle ORM with Nile Postgres
read article
Nuxt Authorization: How to Implement Team Role-Based Access Control in Nuxt 3
currently reading
Getting Started with Prisma, SQLite, and Express
read article
Senior Developer Advocate
read article
Building Multi-Tenant Apps Using Clerk's "Organization" and Next.js
read article
How to use ORMs (Prisma / Drizzle / Knex.js) in a TypeScript backend built with Encore.ts
read article
Pagination and Sorting with Prisma in TypeScript
read article
Featured ones: