I am wondering if there is a way where I can make my site only accessible to those with a GitHub account specifically to only people within the company that have read permissions? The admin page is accessible to people if they get the link and type the “/admin” at the end, and can get in without having to go through our Auth0. I can not make the registration private as we can not pay $100/month for 100 invite only users. So is there a way where they could get the link but be directed or in code have it verify they have a GitHub account? We are looking at dropping the Auth0 login and making it so people must have a GitHub account to view the site and get to admin page.
Hi @TaylorGarpow,
Just to confirm, are you asking for an alternative to Role Based Access Control with external providers? From what I understood, you’re asking if you can use Auth0 as an external provider with Netlify’s Role Based Access Control. Do correct me if that’s wrong.
But, you also say that you’re planning to drop Auth0 and only use GitHub to login. So, it seems as if you’re trying to implement GitHub OAuth to control access to the website.
If that’s the case, unfortunately there’s no server-side way to prevent access to that page. You’d have to manage this in client-side JavaScript and try to check as soon as possible if a user is logged in and if not, redirect them to the login page. The problem with this is, you’d have to make sure to make your website impossible to run without JavaScript and if not impossible, at least make sure that any confidential data cannot be leaked without keeping JavaScript on.
For example an insecure way would be trying to do something like:
- Keep
body{display:hidden}and change it tobody{display:block}after login. This is because anyone can change it themselves and see the contents by disabling JavaScript.
A secure way would be something like:
- Keep bare HTML for the page to be authenticated. Only after a user logs in, make a fetch call to an API (using Netlify Functions or something else) with the user’s bearer token to make it more secure and display the data on the client-side. This way, the user won’t have an option but to login and if JavaScript is disabled, they won’t be able to see the data. But then again, they could run the fetch call using curl or something, but you’d have to try to add additional security rules inside the function to prevent that.
Then again, an easier way would be to use Netlify’s RBAC, but then it upgrading is not an option, you’d have to rely on client-side scripting.
1 Like