The basics
Serverpod automatically checks if the user is logged in and if the user has the right privileges to access the endpoint. When using the serverpod_auth
module you will not have to worry about keeping track of tokens, refreshing them or, even including them in requests as this all happens automatically under the hood.
The Session
object provides information about the current user. A unique userId
identifies a user. You should use this id whenever you a referring to a user. Access the id of a signed-in user through the auth
field of the Session
object.
Future<void> myMethod(Session session) async {
var userId = await session.auth.authenticatedUserId;
...
}
You can also use the Session object to check if a user is authenticated:
Future<void> myMethod(Session session) async {
var isSignedIn = await session.isUserSignedIn;
...
}
Requiring authentication on endpoints
It is common to want to restrict access to an endpoint to users that have signed in. You can do this by overriding the requireLogin
property of the Endpoint
class.
class MyEndpoint extends Endpoint {
bool get requireLogin => true;
Future<void> myMethod(Session session) async {
...
}
...
}
Authorization on endpoints
Serverpod also supports scopes for restricting access. One or more scopes can be associated with a user. For instance, this can be used to give admin access to a specific user. To restrict access for an endpoint, override the requiredScopes
property. Note that setting requiredScopes
implicitly sets requireLogin
to true.
class MyEndpoint extends Endpoint {
bool get requireLogin => true;
Set<Scope> get requiredScopes => {Scope.admin};
Future<void> myMethod(Session session) async {
...
}
...
}
Managing scopes
New users are created without any scopes. To update a user's scopes, use the Users
class's updateUserScopes
method (requires the serverpod_auth_server
package). This method replaces all previously stored scopes.
await Users.updateUserScopes(session, userId, {Scope.admin});
Custom scopes
You may need more granular access control for specific endpoints. To create custom scopes, extend the Scope class, as shown below:
class CustomScope extends Scope {
const CustomScope(String name) : super(name);
static const userRead = CustomScope('userRead');
static const userWrite = CustomScope('userWrite');
}
Then use the custom scopes like this:
class MyEndpoint extends Endpoint {
bool get requireLogin => true;
Set<Scope> get requiredScopes => {CustomScope.userRead, CustomScope.userWrite};
Future<void> myMethod(Session session) async {
...
}
...
}
Keep in mind that a scope is merely an arbitrary string and can be written in any format you prefer. However, it's crucial to use unique strings for each scope, as duplicated scope strings may lead to unintentional data exposure.