Role based access control (RBAC) is a method of deciding who gets access to what based on their role.
As an example, let's say we are building a product that allows teams to chat with their coworkers. Within a team, each user is either an Admin or a Member. We want to let all users view/send chat messages (Admins and Members), but only Admin's can updating billing information. This is a simple form of RBAC.
Let's take that same example, write it out in code, and explain how it works:
What does init_auth do?
init_auth fetches metadata from PropelAuth that it will use to verify users. It does this once on startup, so that it can verify users without making any external requests.
How does require_user work?
When your frontend makes a request to the backend, it will include a token for the user that made the request. require_user verifies this token (using the metadata it fetched in init_auth), and injects the User into the request. If invalid credentials are provided, the request is rejected.
What is an org_id?
It's an identifier for an organization. PropelAuth provides B2B authentication meaning that your users can create organizations, invite their coworkers to join them, and manage roles within the organization.
Where does the user and org_id come from?
PropelAuth provides end-to-end authentication, and one component of that is a configurable UI (hosted on your domain) for your users to sign up through. Another aspect is a UI for creating/joining organizations, inviting coworkers to those organizations, and letting these users manage permissions within their organization.
After the user signs up, a secure, HTTP-only cookie is created. We provide frontend libraries so your frontend can understand if a user is currently logged in or not based on that cookie. These libraries can also fetch which organizations the user is a member of, or a short-lived token for the current user - which the backend can verify and understand who made the request.
In React, for example, this might look like this:
You don't have to worry about managing invitations, designing emails, or dealing with role changes - it's all already provided out of the box.
What happens if the user isn't a member of that organization?
require_org_member will fail and reject the request. This is encoded in the token so it also will not make any external requests.