User authentication & permissions
This page will teach you how to build user-centric apps with user authentication and permissions in Plasmic Studio.
What is user authentication?
User authentication is the process of verifying who the user is. Users can authenticate (or log in) in various ways—typing in a password, clicking an email magic link, or authorizing via an external identity provider. Once logged in, the app can use data about the user to show personalized content.
Enabling user authentication
To enable user authentication, click on the ellipsis menu by the name of the project in the top-left corner, and select “Configure app authentication”.
And that’s it! When users try to visit a page that requires authentication, they’ll be automatically redirected to Plasmic’s login page first.
Projects with user authentication enabled cannot be imported by other projects.
Permissions
This page is about permissions and roles for your app’s users. For docs on project roles in Plasmic Studio, check out the collaboration page.
Authenticated users can have permissions, which dictate the pages a user can visit, the data they have access to, and more.
The process of checking permissions is called authorization. Because of how closely related authentication and authorization are and their common prefix, we commonly refer to them all by just “auth”.
Role-based access control
Plasmic Studio uses role-based access control (RBAC). RBAC is a simple way to define permissions: first we assign roles to users, then we can configure different parts of the app to require those roles.
Roles and ordering
Roles can be added and reordered in the “Settings” tab of the auth configuration dialog.
Roles are ordered. This means that a higher role always has greater access than a lower role.
For example, suppose an app has the following roles: Admin (highest), Normal User, Viewer (lowest). If a page requires a Normal User role, then both a Normal User and an Admin can visit the page, but a Viewer cannot.
Assigning users to roles
By default, when you enable auth, anyone can log in to your app with the “Viewer” role. You can change this in the “Permissions” tab of the auth configuration dialog.
You can add permissions for an individual user by email. You can also add permissions for emails from a domain.
Once a permission is added, you can configure their role.
If a user matches more than one role, the user will receive the highest matched role.
Restricting pages by role
To restrict who can visit a page, set the “Role Needed” field on the right panel, under the “Page Data” tab.
Notice one of the options is “Anonymous”. If set, then anyone, including users who haven’t logged in, can visit the page.
What happens if a user doesn’t have access to the page? It depends on the situation:
- If the user isn’t logged in, they will be automatically redirected to the login page. If they log in successfully, they’ll be brought back to the original page.
- If the user is logged in but their role is below the minimum requirement, they will see a permission denied error page.
You can configure the default “Role Needed” for new pages in the “Settings” tab of the auth configuration dialog.
Note that restricting pages by role may not prevent unwanted access to the underlying data or actions from unauthorized users. If the page has any data fetches or backend operations, make sure you set a minimum role and/or secure user data.
Showing or hiding elements by role
Sometimes, you may want to hide only certain sections of a page, and not the entire page. You can do this by setting an element’s “Visibility” field to only show based on the role.
Note that hiding elements by role may not prevent unwanted access to the underlying data or actions from unauthorized users. If the hidden element has any interactions with backend operations, make sure you set a minimum role and/or secure user data.
Using the logged-in user in dynamic values
You can reference the logged-in user in dynamic values with the currentUser
object.
The currentUser
object contains email and role data.
To display other information about a user, you’ll need to store and retrieve it in your own database, keyed on user emails.
For security reasons, the currentUser
object behaves differently when used in data fetches and backend operations.
Read more about integrations and security.
Adding login and logout buttons
Users will automatically be redirected to the Plasmic login page if they try to visit a restricted page. However, you might want to add an explicit login or logout button.
You can add an interaction and use the login/logout action types.
The login and logout actions do not work if you use a custom auth provider.
Security
This section explores technical details about authentication. For most users, it is not necessary to understand these details.
When a user is logs in to an app with either Plasmic Auth or a custom auth provider, Plasmic servers issue a token for the user. The host is expected to securely store the token, such as in a local storage, session storage, or secure cookies.
Issued tokens have the following security properties:
- Signed with HS256
- Valid for 7 days
- Scoped to the app, so users must reauthenticate between separate apps
Custom authentication and authorization
You may already have another auth provider, or maybe you need a more robust authorization system. Check out our developer docs on integrating a custom auth provider.