#Node.js #Authentication #Authorization #Web Development #Security

Node.js RBAC: Secure Your App Simply

Namir Ahmed
Namir Ahmed
5 min read
Node.js RBAC implementation diagram for an article by Atlanta based Software Engineer, Namir Ahmed.

Securing your Node.js applications is a big deal. One of the most common and effective ways to manage permissions is Role-Based Access Control (RBAC). It’s pretty straightforward: users have roles, and roles have permissions. This keeps things organized and, more importantly, secure.

Let’s break down how to implement RBAC in a Node.js app. We’re going to focus on a common pattern using Express.js.

The Core Idea

At its heart, RBAC means we don’t assign permissions directly to users. Instead, we group users into roles (like ‘admin’, ‘editor’, ‘viewer’), and then assign permissions to those roles. A user can have multiple roles. This simplifies management a lot. If you need to change a permission for everyone who can edit articles, you just update the ‘editor’ role, not every single user.

Setting Up Our Structure

We’ll need a few things:

  1. User Model: To store user information, including their assigned roles.
  2. Role Model: To define the roles available and their associated permissions.
  3. Middleware: To check permissions before allowing access to certain routes.

Let’s imagine we’re building a simple blog platform. Our users can be ‘authors’ or ‘admins’. Authors can create and edit their own posts. Admins can do everything, including managing users and deleting any post.

Database Models (Conceptual)

For simplicity, I’ll use plain JavaScript objects to represent our data. In a real app, you’d use an ORM like Sequelize or Mongoose.

// User Model (simplified)
let users = [
  { id: 1, name: 'Alice', roles: ['author'] },
  { id: 2, name: 'Bob', roles: ['author', 'admin'] }
];


// Role Definitions (simplified)
let roles = {
  author: [
    'create:post',
    'edit:own:post'
  ],
  admin: [
    'create:post',
    'edit:own:post',
    'edit:any:post',
    'delete:any:post',
    'manage:users'
  ]
};


// Helper to get all permissions for a user
function getUserPermissions(userId) {
  const user = users.find(u => u.id === userId);
  if (!user) return [];


  let allPermissions = new Set();
  user.roles.forEach(roleName => {
    if (roles[roleName]) {
      roles[roleName].forEach(permission => {
        allPermissions.add(permission);
      });
    }
  });
  return Array.from(allPermissions);
}


// Helper to check if a user has a specific permission
function userHasPermission(userId, requiredPermission) {
  const permissions = getUserPermissions(userId);
  return permissions.includes(requiredPermission);
}

Express Middleware for Authorization

Now, let’s write the middleware. This middleware will run before our route handlers and check if the authenticated user has the necessary permissions.

Assume you have an authentication middleware that attaches the userId to req.user after a user logs in. For example, req.user = { id: 1 };.

// Assume this is already done by your authentication middleware
// const authMiddleware = (req, res, next) => { /* ... */ req.user = { id: 1 }; next(); };


function authorize(requiredPermission) {
  return (req, res, next) => {
    const userId = req.user ? req.user.id : null;


    if (!userId) {
      // User is not authenticated
      return res.status(401).json({ message: 'Unauthorized: Not authenticated' });
    }


    // In a real app, you'd fetch user roles/permissions from DB here
    // For this example, we're using our global `users` and `roles` data
    const hasPermission = userHasPermission(userId, requiredPermission);


    if (hasPermission) {
      next(); // User has permission, proceed to the route
    } else {
      res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
    }
  };
}

Applying the Middleware

Now, let’s use this middleware in our Express routes.

const express = require('express');
const app = express();


// Assume authMiddleware is set up to populate req.user.id
// const authMiddleware = require('./middleware/auth');


// Dummy auth middleware for demonstration
const authMiddleware = (req, res, next) => {
  req.user = { id: 1 }; // Simulating Alice, an author
  next();
};


// Routes


// Anyone can view posts (no auth needed, or a basic auth)
app.get('/posts', (req, res) => {
  res.send('All posts are visible.');
});


// Only logged-in users can create posts (assuming authMiddleware is applied)
app.post('/posts', authMiddleware, authorize('create:post'), (req, res) => {
  res.send('Post created successfully!');
});


// Route to edit any post, requires admin privileges
app.put('/posts/:id', authMiddleware, authorize('edit:any:post'), (req, res) => {
  res.send(`Post ${req.params.id} updated by admin.`);
});


// Example of a user-specific edit (this logic usually goes inside the route handler)
app.put('/my-posts/:id', authMiddleware, (req, res) => {
  const userId = req.user.id;
  const postId = req.params.id;


  // In a real app, you'd fetch the post and check ownership
  const isOwnPost = true; // Placeholder for actual ownership check


  if (userHasPermission(userId, 'edit:any:post') || (userHasPermission(userId, 'edit:own:post') && isOwnPost)) {
    res.send(`Post ${postId} updated by user.`);
  } else {
    res.status(403).json({ message: 'Forbidden: Cannot edit this post.' });
  }
});


const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

Considerations

  • Granularity: The permission strings like 'create:post' are just examples. You can make them as granular or as broad as your application requires.
  • Database: For production, you’ll absolutely want to store users, roles, and their relationships in a database. Fetching roles and permissions on every request can be slow if not cached properly.
  • Authentication: This example assumes you already have a robust authentication system in place that correctly identifies the user and attaches their ID to the request object.
  • Ownership Checks: For permissions like ‘edit:own:post’, the actual logic to verify ownership usually happens inside the route handler, after the basic permission check. The middleware ensures the user can edit their own posts; the handler verifies if this specific post belongs to them.
  • Caching: If your role/permission structure is complex or changes infrequently, consider caching user permissions in memory or using a dedicated caching layer.

RBAC is a fundamental security pattern. Implementing it well in your Node.js application makes managing access control much cleaner and more scalable. Start simple, and refine as your application grows.

Back to Blog
← Previous Article Scaling Session Management Made Easy Next Article → Understanding Dead Letter Queues

Contents

Need to Message Me?

Let's Talk!