Page Permissions Auth

**Assigned To: Anson, Vansh**
## Overview
Implement backend permission checks to ensure that users can only access pages they are authorized to view. This includes access control for unauthenticated users, post-verification registration flow, and admin-only page protection. This ticket ensures secure route-level access and proper redirection for unauthorized users.

## Task
Add permission checks (middleware + backend guards) that enforce:
- Authentication for protected routes
- Verification flow constraints for registration
- Role-based access control (admin vs. regular users)

**Middleware**
Create an authentication middleware (e.g., middleware.ts in src/ root or per-route group) to:
- Check if a user is logged in (via Better Auth session or JWT).
- If not logged in, redirect to /login unless the user is visiting:
`/login`, `/register`, `/verify`
Add verification flow guard:
- Ensure that `/register` can only be accessed after successful code verification.
- If a user without a verified code token tries to access /register, redirect them to `/verify`

**RBAC**
Now implement RBAC (role-based access control)
- Create a permission-check utility (e.g., `checkPermissions.ts`) to determine user roles (`admin`, `user`).
- Only users with the `admin` role should access `src/app/admin/page.tsx`
- All other logged-in users should have access to all other pages.

Integrate permission check into Better Auth session handling:
- Extend session or user payload to include `role` or `permissions` field.
- Fetch permissions during session retrieval for efficient checks.

Handle unauthorized access
Redirect unauthorized users to the appropriate route:
- Not logged in → `/login`
- Verified required → `/verify`
- No permission (e.g., accessing /admin as non-admin) → redirect to `/`

**Here are some things to keep in mind**
- Keep middleware lightweight: only perform minimal checks and redirect quickly.
- Don’t leak private routes or data via error messages.
- Make sure admin detection logic is based on server-side role data, not client assumptions.
- Test by logging in with different roles and test access to different pages

## Resources
- [Better Auth Docs](https://www.better-auth.com/docs/integrations/next): Go to section on **Middleware**
- [Next.js Middleware Documentation](https://nextjs.org/docs/app/building-your-application/routing/middleware)
- [RBAC (Role-Based Access Control) Patterns](https://auth0.com/docs/manage-users/access-control/rbac)

✅ Acceptance Criteria
- [ ] Unauthenticated users can only access `/login` and `/verify`.
- [ ]  Attempting to visit any other page while logged out redirects to `/login`.
- [ ]  `/register` is only accessible after successful verification (user has a valid verification code/session).
- [ ]  Admin-only route (`src/app/admin/page.tsx`) is accessible only by users with admin role.
- [ ]  Logged-in non-admin users can access all other pages except `/admin`.

As always, reach out with questions and happy coding!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Page Permissions Auth #31

Overview

Task

Resources

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Page Permissions Auth #31

Description

Overview

Task

Resources

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions