fastify-xauth-better
requireOrgRole(roles)
Returns a preHandler that enforces org-scoped role membership on request.organization.
requireOrgRole(roles)
Returns a preHandler middleware that checks request.organization.role against an allowed-roles list. This checks the user's org-scoped Member.role, not their global User.role. Must be preceded by requireOrg() so that request.organization is already populated.
Signature
instance.requireOrgRole(
roles: string | string[]
): (request: FastifyRequest, reply: FastifyReply) => Promise<void>
Params
| Name | Type | Required | Description |
|---|---|---|---|
roles | string | string[] | Yes | One or more allowed org-scoped role values (matched against Member.role) |
Returns
A preHandler function to pass to a route's preHandler option.
Throws
- Throws
Error—request.organizationis not set (requireOrg() was not called first) 403 Forbidden— user is not a member of the org, or their org role is not in the list
Examples
Restrict settings to org owners and admins
const userAuth = fastify.xauthbetter.get("user");
fastify.put("/orgs/:orgId/settings", {
preHandler: [
userAuth.requireAuth(),
userAuth.requireOrg(),
userAuth.requireOrgRole(["owner", "admin"]),
],
}, async (request) => {
return { org: request.organization.id, updatedBy: request.user.id };
});
Single role — owner only
fastify.delete("/orgs/:orgId", {
preHandler: [
userAuth.requireAuth(),
userAuth.requireOrg(),
userAuth.requireOrgRole("owner"),
],
}, async (request) => {
return { deleted: request.organization.id };
});
See also
- requireOrg() — must run before requireOrgRole()
- requireRole(roles) — enforce global user role instead of org role
AI Context
package: "@xenterprises/fastify-xauth-better"
method: fastify.xauthbetter.get(name).requireOrgRole(roles)
use-when: Fastify preHandler factory that enforces an org-scoped role — must be preceded by requireOrg()
usage: { preHandler: [auth.requireAuth(), auth.requireOrg(), auth.requireOrgRole(['owner'])] }