Get Help
Travis Chapman

Best Practices for Protecting API Routes in XANO?

Hello Xano Community!

We're reaching out to seek advice on best practices for desining user roles and protecting API routes from unauthorized access in Xano.

Basically we're planning to build web apps that relies heavily on roles and permissions and we want to ensure our implementation is both secure and efficient.

Currently, our approach involves:


1. Securing endpoints using custom function.

Image 1: Custom Function for Protecting Endpoint.

2. Utilizing if-else condition based on access token to identify allowed roles and determine data access accordingly.

Image 2: Preconditional function that checks if allowed roles and our current roles (from accesstoken) is authorized or not.

The image above shows the logical process of our custom function that basically checks if some of our roles exists in allowed_roles input of array.  

And this is how it looks like when using it on a route. Appointment Route for Example:

  1. Import the custom function and it will allow you to assign the allowed_roles and roles (which is the current roles of user).

    - In this case for allowed roles we assigned ["Administrator","Elite","Provider","Provider Staff"]. Which means these roles are the only one who can access the endpoint.
    - Then for the roles is extras.roles that was coming from the auth tab which is the access token.

  2. For the conditional one, we want to check if the user roles has Administrator and Provider so that we can show all Appointments, if not, then we will just show Appointment based on user's id (Basically if user is not Administrator or Provider, It will just send an Appointments that were assigned to the user.)

While this method works, we are unsure if it's the most effective wat to leverage Xano's capabilities.

Specifically we want recommendation on:

1. Best practices for designing and managing roles in Xano.
2. Recommended approaches for protecting API Routes from unauthorized roles.
3. Efficient methods for securing responses based on user roles.

 

Any inputs, insights, or examples you could provide would be greatly appreciated.

Thank you guys!!

Database
endpoint
help
6 replies