search

better-auth / better-auth

The most comprehensive authentication library for TypeScript
https://better-auth.com
MIT License
3k stars 118 forks source link

Organization support for multiple roles and policies #40

Open Giggiux opened 4 weeks ago

Giggiux commented 4 weeks ago

Hi,

Having three sets of roles for the organization plugins (owner, admin, member) is helpful in many use cases, but integrating better-auth with complex APIs could require having different roles and sets of permissions for each role.

In my projects, I have at least a couple of examples where the domain I worked on required at least 4-5 different "sets of permissions" grouped in roles.

There are many Authentication libraries out there, either SaaS or open source. This one has me hyped the most because it offers tons of ready-made and simple-to-use options. The only issue that I've found mostly ignored by all the authentication libraries is authorization. Some of them make compromises, and others simply don't give it to you.

Better-auth seems to be on the right path of being the "all in one" Auth $\^2$  library, so I suggest trying to implement the best authorization library I believe there could be.

Having roles in code is pretty straightforward and an excellent option, and as far as I can understand from the docs, the permissions are a CRUD "resource-based" system. It would also be nice to have permissions at the attribute (read column) level, other than the resource (read row) level, but that can be relatively more complex than the library's scope. And will probably fall into not just "authentication," but more like the "authentication."

So, as of now, I would like, if possible, to suggest two edits that are very interconnected with each other:

  1. Change the way the roles are defined to be customizable by the user
  2. Add some examples of using the custom permissions system after the setup.

For "2." Maybe I've lost some concepts reading the docs, but I don't understand how, after adding a new "project" resource permission, I can link it to an actual API endpoint or backend endpoint, etc...

Also, for the future, getting back to the authentication part, it would be cool to look at the Directus policy-based access control system and how it is integrated with roles.

anishshobithps commented 1 week ago

Just to add this here, do you think https://github.com/stalniy/casl might be a good integration here as well ?

GregorWedlich commented 1 week ago

I'm absolutely with you, Better-Auth could become the best authentication library in the future. For me, it would be if I could create custom roles and restrict routing with them.