Role based permissions for api access in middleware

[S7012MY]

Is there a way to do role based permissions in middleware?
I'm asking this because I was hoping that there would be a way to call getSession in middleware.
Otherwise I would need to implement a helper function hasPermissions(req) and call it in every single file and I'm trying to avoid that
Thanks

[miikebar]

You can use the authorized callback passed to the withAuth:

middleware.ts

import { withAuth } from "next-auth/middleware"

export default withAuth({
  callbacks: {
    authorized: ({ req, token }) => {
      const path = req.nextUrl.pathname;

      // Check if the middleware is processing the
      // route which requires a specific role
      if (path.startsWith("/admin")) {
        return token?.role === "admin";
      }

      // By default return true only if the token is not null
      // (this forces the users to be signed in to access the page)
      return token !== null;
    }
  }
})

// Define paths for which the middleware will run
export const config = {
  matcher: [
    "/profile/:path*",
    "/admin/:path*"
  ]
}

This will make both /profile and /admin routes require the user to be authenticated, and the /admin route will require the user to have the admin role assigned. What's worth noting is that by default the user will be redirected to the sign in page if the authorized callback returns false, so in the case of an authenticated user without the admin role, if he were to access the /admin route he would still get redirected to the sign in page even though he is already signed in.

[DiegoGonzalezCruz]

thanks, I was looking for this