Best Practices for Implementing Role-Based Access Control (RBAC) in RedwoodJS

Hey everyone,

I’m currently working on a RedwoodJS project where I need to implement Role-Based Access Control (RBAC) to restrict certain features based on user roles (e.g., admin, editor, user). I’ve looked through the documentation and some forum discussions, but I’m hoping to get some insights from those who have successfully implemented RBAC in a RedwoodJS app.

Here are a few specific questions I have:

  1. Where should role checks be performed?
  • Should they primarily be handled in the GraphQL API layer (e.g., inside the services), on the frontend, or a combination of both?
  1. What’s the best way to store and manage roles?
  • Is it best to store them in the database and fetch them on authentication, or should they be embedded in the JWT token for performance reasons?
  1. Are there any existing utilities or third-party libraries that integrate well with RedwoodJS for handling RBAC?
  • I’ve seen some implementations using @redwoodjs/auth with providers like Auth0 or Firebase, but I’m wondering if there’s a preferred approach.
  1. How do you handle role updates?
  • If an admin upgrades a user’s role, what’s the best way to ensure that change is reflected without requiring them to log out and back in?

I also checked this: https://community.redwoodjs.com/t/an-introduction-to-role-based-access-control-in-redwoodjs-go-language

Any code snippets, GitHub repos, or best practices would be super helpful! Thanks in advance for your advice.