Next.js Role-Based Access Control Middleware - Gigawave

Next.js
Security
Middleware
RBAC

Implementing Role-Based Access Control in Next.js Using Middleware

Amit Hariyale

Full Stack Web Developer, Gigawave

6 min read · June 14, 2025

Implementing robust access control is crucial for any SaaS application. When using Next.js with a custom backend, developers often face the challenge of integrating JWT-based authentication with middleware for role-based access control (RBAC). This guide walks through an effective solution for managing page-level permissions using Next.js middleware.

The Challenge: Custom Backend Integration

Authentication handled by separate backend service
JWT tokens stored in HTTP-only cookies
Need to verify roles before page rendering
Centralized access control for all protected routes

Important NoteMiddleware runs on the edge network, so we need lightweight JWT verification methods

Step 1: Understanding Our JWT Structure

Our backend team implemented JWTs with a role claim in the payload:

jwt-payload.d.ts

interface JwtPayload {
  userId: string;
  role: "USER" | "ADMIN" | "MODERATOR";
  // ...other claims
}

Step 2: Creating the Middleware

The middleware handles authentication and authorization before requests reach your pages:

middleware.ts

import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';
import { verifyToken } from '@/lib/auth'; // Custom JWT verifier

// Role-based route configuration
const roleRoutes: Record<string, string[]> = {
  ADMIN: ['/dashboard', '/admin', '/settings'],
  MODERATOR: ['/dashboard', '/mod-tools'],
  USER: ['/dashboard'],
};

export async function middleware(req: NextRequest) {
  const token = req.cookies.get('auth-token')?.value;
  const { pathname } = req.nextUrl;

  // 1. Redirect unauthenticated users
  if (!token) {
    return NextResponse.redirect(new URL('/login', req.url));
  }

  // 2. Verify JWT token
  const payload = await verifyToken(token);
  if (!payload) {
    return NextResponse.redirect(new URL('/login', req.url));
  }

  // 3. Check if path requires specific role
  const requiredRole = Object.entries(roleRoutes).find(([_, paths]) =>
    paths.some(path => pathname.startsWith(path))
  )?.[0];

  // 4. Grant access if no specific role required
  if (!requiredRole) return NextResponse.next();

  // 5. Verify user has required role
  if (payload.role !== requiredRole) {
    return NextResponse.redirect(new URL('/unauthorized', req.url));
  }

  return NextResponse.next();
}

export const config = {
  matcher: [
    '/dashboard/:path*',
    '/admin/:path*',
    '/mod-tools/:path*',
    '/settings/:path*'
  ],
};

Step 3: Key Components Explained

JWT Verification

Our custom verifyToken function:

lib/auth.ts

import jwt from '@tsndr/cloudflare-worker-jwt'; // Lightweight JWT verifier

export async function verifyToken(token: string) {
  try {
    const isValid = await jwt.verify(token, process.env.JWT_SECRET!);
    if (!isValid) return null;
    
    const { payload } = jwt.decode(token);
    return payload as JwtPayload;
  } catch (error) {
    console.error('Token verification failed:', error);
    return null;
  }
}

Role-Based Path Matching

Defining role/route relationships:

middleware.ts

const roleRoutes = {
  ADMIN: ['/dashboard', '/admin', '/settings'],
  MODERATOR: ['/dashboard', '/mod-tools'],
  USER: ['/dashboard'],
};

Step 4: Handling Edge Cases

Token expiration handling
Role inheritance (Admin inherits Moderator permissions)
Public/private hybrid routes
API route protection

Pro TipFor role inheritance, implement a role hierarchy check:

middleware.ts

const roleHierarchy = {
  ADMIN: ['ADMIN', 'MODERATOR', 'USER'],
  MODERATOR: ['MODERATOR', 'USER'],
  USER: ['USER']
};

// In middleware:
if (!roleHierarchy[payload.role].includes(requiredRole)) {
  return NextResponse.redirect('/unauthorized');
}

Step 5: Server-Side Validation

Always verify roles in API routes too:

app/api/admin/route.ts

import { verifyToken } from '@/lib/auth';

export async function GET(req: Request) {
  const token = req.headers.get('Authorization')?.split(' ')[1];
  
  if (!token) {
    return new Response('Unauthorized', { status: 401 });
  }

  const payload = await verifyToken(token);
  
  if (payload?.role !== 'ADMIN') {
    return new Response('Forbidden', { status: 403 });
  }

  // Admin-only logic
}

Best Practices

Always verify tokens on both client and server
Implement short-lived access tokens (15-30 mins)
Use HTTP-only cookies for token storage
Maintain a centralized role definition
Log all access control failures

Useful Resources

Final Thoughts

Implementing RBAC with a custom backend required careful coordination between frontend and backend teams, but using Next.js middleware provided a clean, centralized solution. The key was establishing clear contracts for JWT structure and implementing lightweight verification for edge runtime.

Remember: Middleware is your first security layer, but always validate permissions in your backend too!

Next Blog

The Challenge: Custom Backend Integration

Step 1: Understanding Our JWT Structure

Step 2: Creating the Middleware

Step 3: Key Components Explained

JWT Verification

Role-Based Path Matching

Step 4: Handling Edge Cases

Step 5: Server-Side Validation

Best Practices

Useful Resources

Final Thoughts

Mastering Next.js Routing From Basics to Advanced Patterns