This project is a Role-Based Access Control (RBAC) system built with Node.js, Express, and MongoDB. It implements a comprehensive authentication and authorization mechanism using JWT tokens and a hierarchical permission structure.
-
Models:
- User: Stores user credentials and associated roles
- Role: Defines roles like superuser, admin, editor, and viewer
- Scope: Defines permissions for specific resources and actions
- Resource: Represents entities like users, posts, and comments
- Permission: Links resources with allowed actions
-
Authentication & Authorization:
- JWT-based authentication system
- Middleware for verifying user identity and permissions
- Granular access control based on roles and scopes
-
API Routes:
- Auth routes for user registration and login
- Protected resource routes for posts, users, and comments
- Each endpoint requires specific permissions
The system uses a hierarchical permission model:
- Resources: The entities in the system (user, post, comment)
- Actions: Operations that can be performed (read, write, delete)
- Scopes: Combinations of resources and actions (e.g., r_post, rw_user, rwx_comment)
- Roles: Collections of scopes assigned to users
Scope naming follows a pattern:
r_prefix: Read-only accessrw_prefix: Read and write accessrwx_prefix: Full access (read, write, delete)
- Superuser: Has full access to all resources
- Admin: Has full access to posts and comments
- Editor: Has read/write access to posts and read-only access to comments
- Viewer: Has read-only access to posts
The application connects to a MongoDB instance running in a Docker container with the following configuration:
- Host: localhost:27017
- Authentication: Username/password (admin/secret)
- Database: rbac_jwt
The application can be started with:
npm startfor productionnpm run devfor development with nodemon
A seeder endpoint is available at /seeder to initialize the database with resources, scopes, roles, and users.
The server runs on port 5000 by default and exposes API endpoints under the /api prefix.