Role based redirects from login to home

I’m currently on the Pro plan of Netlify and on the verge of upgrading to Business to allow this feature, but would love to iron out some details on redirects before we do.

Plan is to have a gated documentation static website with Netlify Identity on top to enable role based redirections, so that only users who have signed up from our invite only link could access the docs. Identity and website has been set up, and I’ve created a login folder with index.html within that only shows the login page, this folder is under static/ (following hugo’s method of file directory).

Everything works so far, I’ve got the Identity widget on the static pages as well as the login page. I’ve then created the _redirects file which I can see is loaded when site is deployed:

# Always allow access to the login page
/login  /login  200
# Require the `authorized` role to view any other pages
/*              200!    Role=authorized
# Redirect to /login if you don't have the role
/*      /login  302
# Redirect to main page if logged in from login page
/login  /       200! Role=authorized

My questions are:

  1. Since there’s role based redirects rules and I’m on the pro plan, will all the rules be ignored or only the ones with roles?
  2. I’m trying to redirect user back to the home page after they have logged in, is the last rule correct, or is there another method that does not involve roles?

Extra thing to note is that the login page is under static/login/index.html but the rest of the pages are served from another submodule under docs/content/en/*.

I’d appreciate any clarifications on this topic!

Hi @NikShafiq

Redirect rules are processed top to bottom so the last rule

# Redirect to main page if logged in from login page
/login  /       200! Role=authorized

because the rule above it

# Redirect to /login if you don't have the role
/*      /login  302

captures everything below the site root.

If the login page is at /static/login/ and not /login when deployed, the /login rules won’t work.

If the gated content is under /docs/ then I believe you are best to apply the role-based rules to that path and not the site root (see Redirect visitors based on roles) e.g.

/docs/*              200!    Role=authorized
/docs/*    /login    401!

Thanks for the reply @coelmay. Regarding the redirect rules on login, I understand that it is processed from top to bottom but they originate from different URLs (login page to any page vs any page to login page), would it still not apply if the sources and destinations are flipped for 2 rules.

As for the paths, my understanding is that, Netlify is serving everything from /static to /opt/build/repo/public/. This allows me to access my login page with /login/ at the end of my URL, same goes for the static pages in /docs/. Am I to understand that the rules must use the actual path of the folder locations i.e (static/login/) and not the ones in the URL?

Apologies, your original wording lead me to believe the live location was static/login.

/*     /login    302

will take anything not processed by a preceding rule and redirect it to /login and no rule below will get processed. This is the same behaviour used to make SPA work i.e.

/*    /index.html    200

I see, if that’s the case would the solution be to add /* /login 302 at the end of the rules list?

Currently I’m trying to test our redirects by redirecting /products /licensing 301, and it does not seem to work. Both /products and /licensing lives under a docs/ which is located within the root folder. On live, the URL for these pages are as is: mywebsite.com/products and mywebsite.com/licensing.

Is a normal redirect also behind the business plan or am I getting the syntax wrong?

Yes, any rule such as /* should go last.

If you are trying to redirect (301/302) from a path where content exists, you will need to force the redirect otherwise the default behaviour is to return the content.

So if there is content at /products but you want to redirect to /licensing the rule you will need is

/products    /licensing    302!

in which the ! means force. If you where to do this in netlify.toml syntax it would look like

[[redirects]]
  from = "/products"
  to = "/licensing"
  status = 302
  force = true

In either case, this would only redirect the /products page, but not /products/someproducts.

Thanks again for that @coelmay, that had cleared things up. My redirects are working as intended, but it was only achievable when creating redirect rules within netlify.toml. The same redirect rule seems to be ignored when done in _redirects.

Great to hear @NikShafiq.

While the netlify.toml should generally live in the repository root, the _redirects file needs to live in the publish directory. How this happens depends on the SSG used. For React or Vue for instance, the _redirects file should live in the public directory as the contents are copied to the build directory (build and dist respectively) which is where it is processed from.

Hi @coelmay, I’ve moved my _redirects file to the root repository where config.toml and netlify.toml lives. This seems to have fixed the redirects but now i’m facing an issue. I have upgraded to a Business plan to allow for role based redirects and have done the following rules:

/login  /login  200
/    200 Role=authorized

Login page seems to be accessible, but the second rule is not being processed and I’m getting errors on the CLI:
◈ Redirects syntax errors: Could not parse redirect number 2: {"from":"/","query":{},"status":200,"force":true,"conditions":{"Role":"authorized"}} Missing "to" field
Which is confusing as this link: Role-based access control with JWT | Netlify Docs. shows that a role based rediret does not require a “to” field.

However, I changed the second rule to:

/*      /*      200     Role=authorized

I’ve tried force (200!) as well and it’s the same result: loading the URL ends up showing me a “Not Found” text:
image

This is resolved once I removed the “Role” parameter though, so I’m not sure what is going on.

Sorry for the double post, @coelmay. But it seems to be working on the Netlify dashboard, but the plan change was not reflected unto the CLI, that could’ve been the cause for “Not found” display.

I’m still wondering however if we still need a “to” field for a role-based redirect?

What is in the netlify.toml? Do you have redirects in this file as well as the _redirects file?

The netlify.toml lives in the repository root, the _redirects file goes in the publish directory. If, for instance, you are using Create React App, the file would go in the public directory so it is copied to the build directory when building (the build directory is then what Netlify publishes.)

True, the documentation does show the omission of the to field, however it also uses a wildcard e.g.

/admin/*          200!  Role=admin

This is what I created as a quick test. which worked for me.

# Always allow login page
/login    /login    200
# If a `basic-user` serve page
/*    200!   Role=basic-user
# Other send to login
/*    /login    401!

Note: I have a basic-user role rather than authorized. Change the role(s) to suit.

Thanks a lot, I’ve tested this on my published site and it works, I guess the recently upgraded plan was not reflected on CLI.

Other than that, I have moved my _redirects back to my static/ folder, as that folder is the one being pushed as public when deployed and everything works as expected.

To answer your netlify.toml question, it previously had redirect rules which was removed, yet when I created and modify _redirects, the CLI log still shows that it’s processing redirect rules in both _redirects and netlify.toml. Not sure what’s causing that but important thing is it’s working on the deployed site atleast.

On a side note, Role Based Access Control is available on all plans, not just Business, so it has nothing to do with that.

Hi @hrishikesh, not sure if role based access control and role based redirects are the same thing? I was referring to this post.

Role Based Redirects require Role Based Access Controls. If the latter is not enabled, the former will not work.

Thanks for the clarification. So it was a necessary decision to upgrade to Business plan to even utilize role based redirect I assume.

@hrishikesh My previous comment regarding the CLI was that after upgrading and applying role based redirect, when being redirected based off role, it would lead me to an empty page with “Not Found” but when doing it again off of the Netlify Dashboard by publishing the repo, it would work as expected.

There are several open issues on the Netlify CLI repository including the following which may come into play with your usage and is therefore nothing to do with RBAC, or the plan you are on

Okay then great to know that it was a CLI issue.

Sorry to segue this discussion into another, but I’d like to clarify if role-based redirect is behind the Business plan or available for all, as per this discussion. The pricing plans and docs seems to be confusing and emphasizing that a Business plan is required for role-based redirects.

I’m using role-based redirect along with the built in Netlify Identity, so I am not using any 3rd party auth methods. I’m only utilizing serverless functions to apply roles on signup and allowing only those roles to access my site, would I still need a business plan for that feature?

To quote @hrishikesh

I am unable to anywhere in the documentation where is states RBAC is available only available on the Business plan. Can you point to where it says that @NikShafiq?

The post referred to here also mentions the use of JWTs which as per this post are only available on Business. If wishing to use an External provider this also requires a higher plan.

This is possible what is the Netlify access contol on the pricing page is referring to.

I’m referring to this, where it mentions:

Restricting access to sites is easy when you use Netlify. With Role Based Redirects, a pro-feature that is available with the Teams Business plan or above

which gives the impression that role-based redirects is behind a business plan.