Throwing errors from /api/login , conditional access

[Nikola-Milovic]

Hello, I was wondering if something like this was possible. I am trying to verify if the user has specific claims and if they do not, deny them access. I tried the following

// api/login/
const handler = async (req: NextApiRequest, res: NextApiResponse) => {
    try {
        const { AuthUser: user, idToken } = await setAuthCookies(req, res);
        if (!user.claims["admin"]) {
            await unsetAuthCookies(req, res);
            return res.status(403).json({ error: "This user isn't an admin." });
        }
    } catch (e) {
        return res.status(500).json({ error: "Unexpected error." });
    }
    return res.status(200).json({ success: true });
};

And this crashes the site and I have no clue at what level is the error propagated/ where it should be caught as I don't really have access to any of the internals. This might be a question for FirebaseUI-React but considering that the error originates from '/login' endpoint I am guessing it's getting called by the Firebase-Next-Auth itself

const firebaseAuthConfig = {
    signInFlow: "popup",
    signInOptions: [
        {
            provider: firebase.auth.EmailAuthProvider.PROVIDER_ID,
            requireDisplayName: false,
            disableSignUp: { status: true },
        },
    ],
    signInSuccessUrl: "/",
    credentialHelper: "none",
    callbacks: {
        signInSuccessWithAuthResult: () =>
            false,
    },
};

const FirebaseAuth = () => {
    // no SSR rendering code ...
    
    return (
        <div>
            {renderAuth ? (
                <StyledFirebaseAuth
                    uiConfig={firebaseAuthConfig}
                    firebaseAuth={firebase.auth()}
                />
            ) : null}
        </div>
    );
};

[kmjennison]

Yes, what you're looking to do is possible but requires a little more customization.

Right now, if the login/logout endpoints return a non-200 response, this library will throw. To handle errors in a different way, specify a custom tokenChangedHandler in your config. Yours might look like the default handler but with try/catch based on 403 responses.