Permissions Macro Dependent on Better Auth Macro for Role-Based Access Control

[brielov]

I’m working on integrating Better Auth with Elysia and want to create a permissions macro that depends on the better-auth macro to handle both authentication and role-based access control. My goal is to configure routes to use a single macro that ensures a user is authenticated and has the required permissions, avoiding duplicated authentication logic. Ideally, I want to achieve something like this:

const app = new Elysia()
  .use(permissionsMacro)
  .get("/todos", ({ user }) => user, {
    permissions: {
      todos: ['read']
    },
  })
  .listen(3000);

The better-auth macro provided in the documentation is as follows:

import { Elysia } from "elysia";
import { auth } from "../auth";

export const betterAuthMacro = new Elysia({ name: "better-auth" })
  .mount(auth.handler)
  .macro({
    auth: {
      async resolve({ status, request: { headers } }) {
        const session = await auth.api.getSession({
          headers,
        });
        if (!session) return status(401);
        return {
          user: session.user,
          session: session.session,
        };
      },
    },
  });

I want the permissions macro to:

1. Only execute if the betterAuthMacro succeeds (ensuring a valid user and session).
2. Check permissions using the Better Auth admin plugin (e.g., verify roles like todos: ['read']).
3. Return a 403 status if permissions are insufficient, or pass the user and session to the route handler.

[ihsanmohamad]

I did exactly this

here's my code

const permissions = new Elysia({name: 'permissions'})
.macro({
  permissions(permissions: Record<string, string[]>) {
    return {
      async resolve({request: { headers }}) {
        try {
          const hasPermission = await auth.api.hasPermission({
            headers: headers,
            body: {
              permissions
            }
          });
          
          if (!hasPermission.success) {
            throw new UnauthorizedException('You do not have permission to access this resource');
          }
        } catch (error) {
          if (error instanceof UnauthorizedException) {
            // Re-throw permission errors
            throw error;
          }
          
          throw new InternalServerErrorException();
        }
      }
    }
  }
})

and my controller

auth: true,
permissions: {
                vendor: ['create']
            },

[brielov]

So the auth macro is not needed in this case? Can be just two separated macros for different purposes? Meaning, the hasPermission call is sufficient?

[ihsanmohamad]

I do need the auth macro. I think you can actually just combine the macro as one. I just left it as is since it already fulfill my needs.