Handling Authentication in Flutter Application Using PayloadCMS

[iamyahia]

I'm currently working on a Flutter application called Courier Delivery Flutter App, which includes three distinct roles: admin, seller, and driver. We like to use PayloadCMS to create APIs and manage all the role-based access controls.

However, I'm facing challenges with implementing authentication and role management in the app. Specifically, I'm unsure how to effectively integrate PayloadCMS to handle these roles and manage authentication within the Flutter environment.

My questions are:

1. Can we implement authentication with email and password for our role-specific users when they log in from the mobile app? and a need to make user that no one have access to the dedicate routes/end-points that we create .
2. How should Flutter handle user sessions—should we use cookies, JWTs, or another method to manage logged-in users and store their session information securely?

I'm very new to payloadCMS and realy begginer, so I would greatly appreciate any advice or insights from developers who have experience handling similar scenarios using PayloadCMS.

[andershermansen]

1. Yes.

You can use the REST API to communicate between the app and Payload CMs. There is a REST API to do the login. See the REST API documentation at: https://payloadcms.com/docs/rest-api/overview

When you call the login API you get a token and the user object back, which will also contain the roles. You can then adjust the functionality in you app accordingly.

For further API calls towards Payload CMS you include the access token as a Authorization Bearer in the HTTP header.

It's important that you implement Access control within you Payload CMS properly so that the actual user roles are enforced on backend side when doing API calls. If not other users without the proper role could call your API directly to do things they are not authorized to do. See https://payloadcms.com/docs/access-control/overview for details about access control.

2. I'm not sure about how Flutter works in this regard, I have only used Expo (react native). There I have just stored the token in a session and just used it in the header when doint REST API calls as described above. To aovid the user needing to login every time I have also stored the username and password in secure storage, so that it can be reused for automatic login when user opens the app at later time. This is not Payload CMS specific, so you should check the flutter documetntation on how to best do this.