Bird
Raised Fist0
NextJSframework~5 mins

Role-based access patterns in NextJS

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Role-based access patterns help control who can see or do what in your app. They keep your app safe and organized by giving different users different permissions.

When you want to show different pages or features to admins and regular users.
When you need to protect sensitive data from unauthorized users.
When you want to simplify user experience by hiding options users shouldn't access.
When building apps with multiple user types like customers, staff, and managers.
Syntax
NextJS
import { useSession } from 'next-auth/react';

export default function Page() {
  const { data: session } = useSession();

  if (!session) {
    return <p>Please log in to view this page.</p>;
  }

  if (session.user.role !== 'admin') {
    return <p>Access denied. Admins only.</p>;
  }

  return <p>Welcome, admin!</p>;
}

Use useSession from next-auth/react to get user info.

Check the user's role from the session object to control access.

Examples
Simple check to show different content based on role.
NextJS
if (session.user.role === 'admin') {
  // show admin content
} else {
  // show regular user content
}
Check if user role is in a list of allowed roles.
NextJS
const allowedRoles = ['admin', 'manager'];
if (allowedRoles.includes(session.user.role)) {
  // allow access
} else {
  // deny access
}
Higher-order component to wrap pages or components with role checks.
NextJS
import { useSession } from 'next-auth/react';

export function withRole(Component, allowedRoles) {
  return function WrappedComponent(props) {
    const { data: session } = useSession();
    if (!session || !allowedRoles.includes(session.user.role)) {
      return <p>Access denied.</p>;
    }
    return <Component {...props} />;
  };
}
Sample Program

This component shows different messages based on the user's role from the session. It handles three roles: admin, editor, and viewer. If the user is not logged in, it asks them to log in.

NextJS
import { useSession } from 'next-auth/react';

export default function Dashboard() {
  const { data: session } = useSession();

  if (!session) {
    return <p>Please log in to access the dashboard.</p>;
  }

  switch (session.user.role) {
    case 'admin':
      return <p>Welcome Admin! You can manage users and settings.</p>;
    case 'editor':
      return <p>Welcome Editor! You can edit content.</p>;
    case 'viewer':
      return <p>Welcome Viewer! You can view content only.</p>;
    default:
      return <p>Role not recognized. Access limited.</p>;
  }
}
OutputSuccess
Important Notes

Always check if the user is logged in before checking roles.

Store user roles securely and avoid trusting client-side data alone.

Use server-side checks for sensitive data or actions to improve security.

Summary

Role-based access controls who can see or do things in your app.

Use session data to check user roles and show or hide content accordingly.

Protect sensitive parts of your app by restricting access based on roles.

Practice

(1/5)
1. What is the main purpose of role-based access control in a Next.js application?
easy
A. To improve the app's loading speed by caching user data
B. To restrict or allow users to see or perform actions based on their assigned roles
C. To style components differently for each user
D. To automatically generate user profiles

Solution

  1. Step 1: Understand role-based access control concept

    Role-based access control means controlling what users can do or see based on their roles.

  2. Step 2: Identify the purpose in Next.js apps

    In Next.js, this means showing or hiding parts of the app depending on user roles to protect sensitive data.

  3. Final Answer:

    To restrict or allow users to see or perform actions based on their assigned roles -> Option B

  4. Quick Check:

    Role-based access controls user permissions = B [OK]
Hint: Role-based access controls user permissions and visibility [OK]
Common Mistakes:
  • Confusing access control with styling or caching
  • Thinking it automatically creates user profiles
  • Assuming it improves app speed
2. Which of the following is the correct way to check a user's role in a Next.js component using session data?
easy
A. if (session.user.role === 'admin') { /* allow access */ }
B. if (user.role == 'admin') { /* allow access */ }
C. if (session.role === 'admin') { /* allow access */ }
D. if (session.user.roles.includes('admin')) { /* allow access */ }

Solution

  1. Step 1: Identify session structure in Next.js

    Session data usually stores user info under session.user, including role as session.user.role.

  2. Step 2: Check correct syntax for role comparison

    The correct check is session.user.role === 'admin' to compare role string exactly.

  3. Final Answer:

    if (session.user.role === 'admin') { /* allow access */ } -> Option A

  4. Quick Check:

    Use session.user.role for role check = C [OK]
Hint: Access role via session.user.role for correct check [OK]
Common Mistakes:
  • Using user.role without session prefix
  • Checking session.role directly (wrong path)
  • Using == instead of === for strict comparison
  • Assuming roles is an array when it's a string
3. Given this Next.js code snippet, what will be rendered if the user role is 'editor'? 
function Dashboard({ session }) {
  if (session.user.role === 'admin') {
    return <div>Admin Panel</div>;
  } else if (session.user.role === 'editor') {
    return <div>Editor Workspace</div>;
  } else {
    return <div>Access Denied</div>;
  }
}
medium
A. Nothing will render due to error
B. <div>Admin Panel</div>
C. <div>Access Denied</div>
D. <div>Editor Workspace</div>

Solution

  1. Step 1: Check user role conditionals

    The code checks if role is 'admin', then 'editor', else denies access.

  2. Step 2: Match role 'editor' to conditional

    Since role is 'editor', the second condition matches and returns <div>Editor Workspace</div>.

  3. Final Answer:

    <div>Editor Workspace</div> -> Option D

  4. Quick Check:

    Role 'editor' matches editor condition = A [OK]
Hint: Match user role to if-else branches to find output [OK]
Common Mistakes:
  • Choosing admin panel for editor role
  • Assuming access denied for editor
  • Thinking code has syntax errors
4. Identify the error in this Next.js role check code snippet: 
function Page({ session }) {
  if (session.user.role = 'admin') {
    return <div>Admin Access</div>;
  }
  return <div>No Access</div>;
}
medium
A. session.user.role should be session.role
B. Missing else block after if statement
C. Using single equals (=) instead of triple equals (===) for comparison
D. Return statements are not allowed inside if

Solution

  1. Step 1: Check the if condition syntax

    The code uses single equals (=) which assigns value instead of comparing.

  2. Step 2: Identify correct comparison operator

    For comparison, triple equals (===) should be used to check equality without assignment.

  3. Final Answer:

    Using single equals (=) instead of triple equals (===) for comparison -> Option C

  4. Quick Check:

    Use === for comparison, not = [OK]
Hint: Use === for comparison, not = assignment [OK]
Common Mistakes:
  • Confusing assignment (=) with comparison (===)
  • Thinking else block is mandatory
  • Incorrect session property path assumptions
  • Believing return inside if is invalid
5. You want to protect a Next.js API route so only users with role 'admin' or 'manager' can access it. Which code snippet correctly implements this role-based access check?
hard
A. if (['admin', 'manager'].includes(session.user.role)) { /* allow */ } else { /* deny */ }
B. if (session.user.role === ['admin', 'manager']) { /* allow */ } else { /* deny */ }
C. if (session.user.role == 'admin' && session.user.role == 'manager') { /* allow */ } else { /* deny */ }
D. if (session.user.role === 'admin' && session.user.role === 'manager') { /* allow */ } else { /* deny */ }

Solution

  1. Step 1: Understand role check for multiple roles

    We want to allow access if role is either 'admin' or 'manager'.

  2. Step 2: Evaluate each option's logic

    if (session.user.role === 'admin' && session.user.role === 'manager') { /* allow */ } else { /* deny */ } uses && which requires the role to be both simultaneously (impossible); if (session.user.role === ['admin', 'manager']) { /* allow */ } else { /* deny */ } compares role to array directly (wrong); if (['admin', 'manager'].includes(session.user.role)) { /* allow */ } else { /* deny */ } uses includes() on array which is clean and correct; if (session.user.role == 'admin' && session.user.role == 'manager') { /* allow */ } else { /* deny */ } uses && which requires role to be both roles simultaneously (impossible).

  3. Final Answer:

    if (['admin', 'manager'].includes(session.user.role)) { /* allow */ } else { /* deny */ } -> Option A

  4. Quick Check:

    Use includes() to check multiple roles = D [OK]
Hint: Use array.includes(role) to check multiple roles easily [OK]
Common Mistakes:
  • Comparing role directly to an array
  • Using && instead of || for multiple roles
  • Not using includes() for clean checks
  • Assuming || is always better than includes()