Role Resolution Service
Component Detail
Description
Resolves the authenticated user's role(s) from Supabase user metadata or the roles table immediately after login. Determines which role(s) a user holds and sets the initial active role in app state.
role-resolution-service
Summaries
The Role Resolution Service is a critical security and personalization layer that ensures every user sees only the features, data, and workflows appropriate to their organizational position immediately upon login. By accurately determining whether a person is a student, instructor, administrator, or holds multiple roles simultaneously, the platform eliminates access control errors that could expose sensitive information or create compliance violations. This directly reduces operational risk, lowers support overhead caused by users encountering wrong-permission screens, and accelerates onboarding by placing users in the correct context from the very first session — protecting both the business and its users.
Role Resolution Service has medium complexity and executes at login time, making it a critical path dependency for authentication flows. It integrates with Supabase user metadata and the roles table, so any schema changes to either surface require coordinated updates here. The service feeds directly into Role State Manager, meaning it must be stable and tested before UI role-gating work can begin. Testing scope includes single-role users, multi-role users, users with no roles assigned, and edge cases around metadata inconsistency.
Plan for integration tests against a staging Supabase instance. Delays in this component will cascade to all role-dependent features downstream.
Role Resolution Service queries Supabase post-authentication via the role-repository abstraction, calling both user metadata fields and the dedicated roles table to build a complete role list for the authenticated user. It exposes five interfaces: resolveRoles() for full role hydration, getPrimaryRole() and getAllRoles() for selective access, isGlobalAdmin() as a fast-path permission check, and setInitialRole() which dispatches the resolved role list into the role-state-manager BLoC or Riverpod provider. Multi-role support requires ordered priority logic when selecting the primary role. Ensure Supabase RLS policies permit the post-login metadata read, and handle async resolution errors gracefully to avoid leaving app state in an uninitialized role.
Responsibilities
- Query Supabase user metadata and roles table post-login
- Determine primary and secondary roles for the user
- Set initial active role in BLoC/Riverpod app state
- Handle multi-role users by returning all assigned roles
Interfaces
resolveRoles(String userId)
getPrimaryRole(String userId)
getAllRoles(String userId)
isGlobalAdmin(String userId)
setInitialRole(List<Role> roles)
Relationships
Dependencies (2)
Components this component depends on
Related Data Entities (2)
Data entities managed by this component