Adding Authentication to Your App
Every app needs to know who's allowed to do what. ValkyrAI makes security easy with our powerful Role-Based Access Control (RBAC) system!
Understanding Authentication vs. Authorization
Let's get the basics straight:
- Authentication = Who are you? (logging in, proving your identity)
- Authorization = What are you allowed to do? (permissions)
ValkyrAI handles both automatically when you generate your application with ThorAPI!
ThorAPI's RBAC System: Simple But Powerful
Our RBAC system secures your app at the API level - the most secure approach possible. Here's how it works:
1. Users and Roles
When ThorAPI generates your app, it automatically creates:
- A User model with secure password handling
- A Role system with customizable permission levels
- Default roles like "Admin," "User," and "Guest"
2. Object-Level Security
Unlike basic systems that only control page access, our RBAC goes deeper:
- Each object (Product, Order, Comment, etc.) has permission rules
- You can control who can view, create, edit, or delete specific objects
- Permissions cascade through relationships (e.g., "Users can only see their own Orders")
3. API-Level Enforcement
Security happens at the deepest level:
- All security checks happen in the API before any data is sent
- Even if someone tries to hack your frontend, the backend is still secure
- Every API request is validated for proper authentication and authorization
Adding Authentication to Your App: The Easy Way
Here's how to set up authentication with ValkyrAI:
Step 1: Make Sure Authentication is Enabled
When creating your project:
- In the template selection screen, check that "User Authentication" is enabled
- ThorAPI will automatically add User and Role models to your spec
Step 2: Customize Your Authentication (Optional)
You can adjust your authentication settings in the spec:
components:
schemas:
User:
type: object
properties:
id:
type: string
format: uuid
email:
type: string
format: email
password:
type: string
format: password
x-thor-encrypt: true
firstName:
type: string
lastName:
type: string
roles:
type: array
items:
$ref: '#/components/schemas/Role'
required:
- email
- password
Step 3: Define Your Roles
ThorAPI creates default roles, but you can customize them:
Role:
type: object
properties:
id:
type: string
format: uuid
name:
type: string
enum: [ADMIN, USER, MANAGER, GUEST]
permissions:
type: array
items:
type: string
enum: [CREATE, READ, UPDATE, DELETE]
Step 4: Set Up Object Permissions
Define which roles can access which objects:
x-thor-permissions:
Product:
ADMIN: [CREATE, READ, UPDATE, DELETE]
MANAGER: [CREATE, READ, UPDATE]
USER: [READ]
GUEST: [READ]
Order:
ADMIN: [READ, UPDATE, DELETE]
MANAGER: [READ, UPDATE]
USER: [CREATE, READ, UPDATE]
GUEST: []
Step 5: Add Login/Signup UI
After generation, ask ValorIDE to create the user interface:
Create login and signup pages with email and password fields.
Add a user profile page where users can see their information.
Make sure the navbar shows "Login" when users aren't logged in,
and their name with a dropdown menu when they are logged in.
ValorIDE will use the ThorAPI-generated authentication services to create these pages!
How It Works Behind the Scenes
When you build with ValkyrAI, here's what happens:
-
ThorAPI generates:
- Database tables for Users and Roles
- Secure password encryption and storage
- JWT (JSON Web Token) authentication
- API endpoints for login, signup, etc.
- Permission validation on all API calls
-
ValorIDE uses these components to build:
- Login/signup forms
- User profile management
- Role-based UI elements (showing/hiding based on permissions)
Advanced Authentication Features
As your app grows, you might want to add:
Single Sign-On (SSO)
Ask ValorIDE:
Add Google and Facebook login options to the login page.
Multi-Factor Authentication
Ask ValorIDE:
Add two-factor authentication using SMS codes.
Custom Permission Logic
Ask ValorIDE:
Make it so managers can only edit products they created themselves.
Best Practices for App Security
- Always use HTTPS for your deployed application
- Never store sensitive data in local storage or cookies
- Set appropriate permissions - start restrictive and open up as needed
- Validate all user input on both frontend and backend
- Use auto-logout for inactive sessions
Next Steps
Now that you have authentication working, you might want to:
- Deploy your application to make it available online
- Integrate payment processing if you're building an e-commerce app
Remember: With ValkyrAI, security isn't an afterthought - it's built into every app from the beginning!