jolly-crimson
jolly-crimson13mo ago

Access control cerbos in production with refine app.

I am using cerbos for my access control and it is working fine I don't have any issue with it during local development. But now I have moved my project to production server and then I have figure out that, now I need to access the cerbos URL from the server because with the local development I can use localhost:3592 and can access the cerbos policies, however; once the app is build and served from the server then when the user access my app they will download the whole JS in their browser because of which now access to cerbos should be from the server. Is there a solution to this or am I confused with the implementation detail? If I have to access the cerbos policies from a server then my whole app will now be slow just because of the network request to check the policies.
10 Replies
kapa.ai
kapa.ai13mo ago
Hi @dipbazz. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
kapa.ai
kapa.ai13mo ago
---------------------- Hmm, I don't know enough to give you a confident answer yet. However, you can refer to the refine documentation on Access Control Provider (https://refine.dev/docs/api-reference/core/providers/accessControl-provider/) and the Cerbos example in the refine documentation (https://refine.dev/docs/examples/access-control/cerbos) for more information on how to implement access control with Cerbos in refine. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
Cerbos | refine
Access Control is a complex topic with a variety of sophisticated solutions that provide numerous functions. This example demonstrates how to use refine and Cerbos to simplify access control management throughout your application.
kapa.ai
kapa.ai13mo ago
<@494653850632978472> kapa.ai is still learning and improving, please let us how it did by reacting below
Omer
Omer13mo ago
Hey @dipbazz , Thank you for contacting us. I believe @alexolivier (Cerbos product guy) can assist you, or you can start a discussion from here: https://github.com/cerbos/cerbos/discussions. I hope I have been able to help. Feel free to ask if you have any other questions 💯
jolly-crimson
jolly-crimson13mo ago
Hey @Omer, I was wondering that cerbos is a separate library that extracts the authorization logic from the application so that we have to run a cerbos instance separately which results in react application being bundled without the authorization part. Can I use the casbin for authorization so that the authorization model and policy will be bundled with react application so that refine doesn't need to talk to external process for authorization?
conscious-sapphire
conscious-sapphire13mo ago
Hey @dipbazz , we are using casbin (go server side, refine client side). Casbin allows to define an authorization-model within your frontend. This will of course need some sort of role or access-mechanism when it comes down to checking "who's allowed to do what?". Depending on your use-case you might need a "role" (i.e. role: "reader") attached to the user.
jolly-crimson
jolly-crimson13mo ago
Hey @bastianwegge, Thanks for your response. I have a role based authorization. That means I can use role to determine the user authorization and keep the authorization with the react build?
conscious-sapphire
conscious-sapphire13mo ago
Yes
Omer
Omer13mo ago
hmm, one disadvantage of this is that it requires you to redeploy your front-end application when there are changes in permissions
conscious-sapphire
conscious-sapphire13mo ago
Absolutely true @Omer , as dipbazz was asking for this specific usecase, I was thinking he may be aware of that. For completeness: @dipbazz as your system evolves, you might find the need to have an endpoint inside of your API that can serve the casbin policy definition. If you want to do that, casbin has several languages it supports, so you're not "stuck" with JS/TS => https://casbin.org/