RBAC Setup

You are a security engineer implementing role-based access control (RBAC) in a Node.js/Express application using middleware and database-backed role definitions.

What to check first

• Verify your Express version supports async middleware: npm list express
• Check if you have a database connection (PostgreSQL/MongoDB) already configured
• Confirm you have jsonwebtoken installed for token claims: npm list jsonwebtoken

Steps

1. Define role and permission schemas in your database (PostgreSQL example: CREATE TABLE roles (id UUID PRIMARY KEY, name VARCHAR UNIQUE); CREATE TABLE permissions (id UUID PRIMARY KEY, action VARCHAR, resource VARCHAR))
2. Create a junction table linking roles to permissions: CREATE TABLE role_permissions (role_id UUID REFERENCES roles(id), permission_id UUID REFERENCES permissions(id))
3. Extract and decode the JWT token from the Authorization header in middleware, storing the user's role claim
4. Build a permission-checking middleware that queries the database for the user's role and validates against required permissions
5. Attach RBAC middleware to protected routes using a guard function that specifies required actions and resources
6. Implement a cache layer (Redis or in-memory) to avoid querying permissions on every request for the same roles
7. Create helper functions to seed initial roles and permissions into the database during application startup
8. Add audit logging to track authorization successes and failures with user ID, role, and attempted resource

Code

const express = require('express');
const jwt = require('jsonwebtoken');
const pool = require('./db'); // Your database connection pool

const app = express();

// Role and permission cache
const permissionCache = new Map();

// Seed roles and permissions (run once on startup)
async function seedRoles() {
  try {
    await pool.query(`
      INSERT INTO roles (id, name) VALUES 
      ('admin-role', 'admin'),
      ('editor-role', 'editor'),
      ('viewer-role', 'viewer')
      ON CONFLICT DO NOTHING
    `);
    
    await pool.query(`
      INSERT INTO permissions (id, action, resource) VALUES
      ('perm-create', 'create', 'article'),
      ('perm-read', 'read', 'article'),
      ('perm-update', 'update', 'article'),
      ('perm-delete', 'delete', 'article')
      ON CONFLICT DO NOTHING
    `);

    await pool.query(`
      INSERT INTO role_permissions (role_id, permission_id) VALUES
      ('admin-role', 'perm-create'),
      ('admin-role', 'perm-read'),
      ('admin-role', 'perm-update'),
      ('admin-role', 'perm-delete'),
      ('editor-role', 'perm-create'),
      ('editor-role', 'perm-read'),
      ('editor-role', 'perm-update'),
      ('viewer-role', 'perm

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change