Netlify Identity Role based Access control not working

Nice, looks like the redirects were correctly processed there :tada: When I click “LOGIN” on your site, I get through the flow and am able to login. Can you see what happens when you try?

Just wondering which login you are clicking, when I am in testing, /login is the page with Netlify identity login.

When logged out, /rates redirects back to / however when I log in the same happens. When logged in as a user with an admin role, I still get redirected to /

If it’s any help to you I can invite you so that you could test it out.

Hey @kylesloper! :wave:t2:

Following along here but just jumping in to clarify - when you’re testing locally or on your production site? (or on a deploy-preview / branch-deploy)


Jon

I’m assuming @jonsully you are referring to when I said

If that’s the case then I meant on my site there are 2 links that say login only one of them will take you too the Netlify Identity login page the other to Netlify CMS. To avoid any confusion I’ll update that now, just to be clear to access the login page is /login

Okay, cool! Just making sure. I’m not if I mentioned it above or in another thread, but role-based access control in _redirects behaves quite different in environments other than your production site. We’ll want to focus on your production / live site for debugging efforts :slight_smile:

1 Like

Your current rules seem to work for me:

When I’m logged in, I can get to /rates:

When I’m not logged in, I cannot get to /rates- only https://moonface.netlify.app/

I did this by creating a Netlify CMS user. So, note that whatever roles are set by creating a Netlify CMS user also seem to grant access to the /rates page, not sure if that’s intended or not.

1 Like

Okay I have no idea what or if you did something but it works :tada:

1 Like

Woohoo! I just reformatted what you had for the netlify.toml format :slight_smile:

TLDR for future encounterers of this problem:

  • check Jon and Slim’s giant thread above for a good pattern/set of rules for RBAC with Netlify Identity
  • if _redirects file isn’t working for you, being picked up, etc., try instead adding the rules to netlify.toml in the root directory
2 Likes

Thank you so much for your help :))

2 Likes

Hey, for some reason the role based redirects are not working again. No matter if the user is logged in or not, they are always redirected.

My deploy logs tell me that the redirect rules were processed and there are no errors, so I’m sure it’s just a small error I’ve made.

Git repo if needed: https://github.com/kylesloper/moonface

Netlify site: MOONFACE | Sites for Creatives

When I log in, get a nf_jwt token from Identity in my browser storage, and decode it here, I’m seeing that it does not have the required roles field:

{
  "exp": 1611707608,
  "sub": "fe73ec53-768b-4f83-aa3f-202ad084fe20",
  "email": [ redacted :) ],
  "app_metadata": {
    "provider": "email"
  },
  "user_metadata": {}
}

This should look like:

{
  "exp": 1611707608,
  "sub": "fe73ec53-768b-4f83-aa3f-202ad084fe20",
  "email": [ redacted :) ],
  "app_metadata": {
    "provider": "email",
    "roles": ["rdm", "admin"]
  },
  "user_metadata": {}
}

This is probably why we’re not being redirected to paths that require specific roles to be set. Now that your Identity instance is invite-only, have you updated the roles of the people you’ve invited? You’d do that here: https://app.netlify.com/sites/moonface/identity/ and click the user to set the roles.

Updated those roles on every users account :slight_smile:

A quick note that even after you update roles, you’ll need to log out then back in so the JWT in your browser gets reloaded with the new roles. Does it work after that, @kylesloper?

Yea unfortunately it doesn’t.

Seems to be working for me now but I did notice some strange behavior on moonface.netlify.app vs. moonface.ga: I can be “logged in” on moonface.netlify.app/login, but not moonface.ga/login, and vice versa (logged in on moonface.ga, but not the Netlify URL).

We’re in our company all-hands through the rest of the week, but we should be able to dive in next week and get you more details on why this is happening!

In the meantime, can you take a look and see if you’re seeing the correct behavior on at least one domain: either Netlify URL or custom domain?

1 Like

Sure I’ll do that now.

I think that makes sense actually :thinking:. GoTrue is going to respond with a set-cookie directive from whichever domain it’s called at, but your browser is only going to send that cookie back to the server from the same domain. GoTrue will respond from both the .netlify.app subdomain and the custom .ga domain… but you’re only going to be logged in on that particular domain.

You can get into some weirdness there since you could technically have two fully separate sessions going in — log in on .net.app and then switch over and login on .ga and now you have the same user logged in from two different domains :stuck_out_tongue: but ignoring that for now…

The _redirects should be followed for that particular domain. If you log in on the .netlify.app domain then attempt to hit the RBAC’d pages on .netlify.app, that should work. And vice versa. But if you try to login on .netlify.app then hit the RBAC’d pages on .ga, that would fail :thinking:

I don’t actually have an account on Moonface, nor does the auth / login interface appear to load for me so I can’t definitively check these things myself, but logically I believe it follows.

It may be simpler to setup a _redirect that forces all traffic to your custom domain, @kylesloper — or at least it’ll help eliminate variables. In toml format it should look like:

[[redirects]]
  from = "https://moonface.netlify.app/*"
  to = "https://moonface.ga/:splat"
  status = 302
  force = true

Onward!


Jon

2 Likes

Cheers @jonsully for your input… that’s actually really interesting to see how GoTrue works via custom domains.

If you would want to do more investigating, It would be very appreciated and I could send you a signup link to your email. PM me your email if your up to it! :grinning:

Alrighty, let’s do this thing :muscle:t2: what’s currently deployed as far as your netlify.toml goes / what redirects are in place? What’s a path on your site that I shouldn’t be able to access when logged out but should be able to when logged in?

Just spinning up on context here

Sorry for the spam that’s about to layout Jen :sweat_smile:

@kylesloper responded in PM but I want to keep this public for others’ future learning :stuck_out_tongue:

The login page is at /login/ with auth’s you with roles so that you can access /cockpit and /chat

But I don’t actually see anything going wrong here @kylesloper — once you added the roles to my user and I logged out then back in so they’d be applied, I can now view /cockpit and /chat :thinking: I’m exclusively using the .ga domain but all seems well here

1 Like