In modern web applications, implementing a dynamic Role-Based Access Control (RBAC) system is crucial for managing user permissions effectively. This blog post covers how to build a scalable RBAC system in a Node.js and Express.js backend with a React frontend, ensuring real-time updates to user access across different roles.
▪️Granular Permissions: Permissions are dynamically configurable for each role.
▪️Real-time Updates: Changes in role permissions are instantly reflected in the application.
▪️Backend Enforcement: Middleware restricts access to APIs based on user roles.
▪️Frontend UI Control: Unauthorized users are prevented from accessing restricted UI elements.
▪️Scalability & Maintainability: Roles and permissions can be modified without changing the code.
Permissions should be stored in a roles table, where each role is associated with a list of allowed routes/actions. Example:
{
"role": "Admin",
"permissions": ["dashboard.view", "reports.view", "users.manage"]
}This structure allows dynamic updates without modifying the codebase.
Admins should have an API to modify user roles dynamically. The following workflow can be used:
import jwt from "jsonwebtoken";
import { Request, Response, NextFunction } from "express";
import dotenv from "dotenv";
dotenv.config();
const generateTokens = (userId: string, role: string) => {
const accessToken = jwt.sign({ userId, role }, process.env.ACCESS_SECRET!, {
expiresIn: "15m",
});
const refreshToken = jwt.sign({ userId }, process.env.REFRESH_SECRET!, {
expiresIn: "7d",
});
return { accessToken, refreshToken };
};The Role & Permission Middleware describes how the backend enforces access control using a middleware function. Here’s how it works:
▪️Extract Token: It checks if the request has an authorization token.
▪️Decode Token: It verifies the JWT token and extracts the user’s role.
▪️Fetch Role Permissions: It retrieves the allowed permissions from the database.
▪️Check Permission: It verifies if the user has the required permission.
▪️Authorize or Reject: If the permission is missing, it returns a 403 Forbidden response; otherwise, it allows the request to proceed.
This ensures that only authorized users can access specific API routes dynamically, based on their assigned permissions.
Related read: Learn How To Implement Role-based API Authorization In Node.js
import { Request, Response, NextFunction } from 'express';
import jwt from 'jsonwebtoken';
import RoleModel from '../models/roleModel';
type DecodedToken = {
userId: string;
role: string;
};
export const roleMiddleware = (requiredPermission: string) => async (req: Request, res: Response, next: NextFunction) => {
try {
const token = req.headers.authorization?.split(' ')[1];
if (!token) return res.status(401).json({ message: 'Unauthorized' });
const decoded = jwt.verify(token, process.env.ACCESS_SECRET!) as DecodedToken;
const userRole = await RoleModel.findOne({ role: decoded.role });
if (!userRole || !userRole.permissions.includes(requiredPermission)) {
return res.status(403).json({ message: 'Forbidden' });
}
next();
} catch (error) {
res.status(500).json({ message: 'Internal Server Error' });
}
};To allow admins to dynamically manage user permissions, we need an API that updates the permissions for specific roles. Here’s how the request will be processed:
▪️The admin sends a request with the updated permissions for a role.
▪️The backend verifies if the admin has the necessary privileges.
▪️If authorized, the backend updates the permissions in the database.
▪️Changes take effect immediately, without requiring a restart.
import { Request, Response } from "express";
import RoleModel from "../models/roleModel";
export const updateRolePermissions = async (req: Request, res: Response) => {
try {
const { role, permissions } = req.body;
const updatedRole = await RoleModel.findOneAndUpdate(
{ role },
{ permissions },
{ new: true }
);
if (!updatedRole) {
return res.status(404).json({ message: "Role not found" });
}
res
.status(200)
.json({ message: "Permissions updated successfully", updatedRole });
} catch (error) {
res.status(500).json({ message: "Error updating permissions", error });
}
};PUT /api/admin/roles/permissions
Content-Type: application/json
Authorization: Bearer <admin-token>
{
"role": "Manager",
"permissions": ["dashboard.view", "reports.view"]
}{
"message": "Permissions updated successfully",
"updatedRole": {
"role": "Manager",
"permissions": ["dashboard.view", "reports.view"]
}
}This ensures that role permissions can be updated dynamically and securely by authorized admins.
import { Request, Response } from "express";
import RoleModel from "../models/roleModel";
export const updateRolePermissions = async (req: Request, res: Response) => {
try {
const { role, permissions } = req.body;
await RoleModel.findOneAndUpdate({ role }, { permissions });
res.status(200).json({ message: "Permissions updated successfully" });
} catch (error) {
res.status(500).json({ message: "Error updating permissions" });
}
};In the frontend, we need to ensure that users only see the elements they have permission to access. This can be achieved using React context and conditional rendering.
Related read: Building Scalable Applications with React Micro Frontends
import { useContext } from "react";
import { AuthContext } from "../context/AuthContext";
const Dashboard = () => {
const { user } = useContext(AuthContext);
return (
<div>
<h1>Dashboard</h1>
{user?.permissions.includes("dashboard.view") && (
<p>Welcome to the Dashboard</p>
)}
{user?.permissions.includes("reports.view") && (
<button>View Reports</button>
)}
</div>
);
};
export default Dashboard;To prevent unauthorized users from accessing protected pages, we implement a ProtectedRoute component that checks user permissions before rendering a page.
import { Navigate } from "react-router-dom";
import { useContext } from "react";
import { AuthContext } from "../context/AuthContext";
const ProtectedRoute = ({ children, requiredPermission }) => {
const { user } = useContext(AuthContext);
if (!user || !user.permissions.includes(requiredPermission)) {
return <Navigate to="/unauthorized" />;
}
return children;
};
export default ProtectedRoute;import { BrowserRouter as Router, Routes, Route } from "react-router-dom";
import Dashboard from "./pages/Dashboard";
import Reports from "./pages/Reports";
import Unauthorized from "./pages/Unauthorized";
import ProtectedRoute from "./components/ProtectedRoute";
const App = () => {
return (
<Router>
<Routes>
<Route
path="/dashboard"
element={
<ProtectedRoute requiredPermission="dashboard.view">
<Dashboard />
</ProtectedRoute>
}
/>
<Route
path="/reports"
element={
<ProtectedRoute requiredPermission="reports.view">
<Reports />
</ProtectedRoute>
}
/>
<Route path="/unauthorized" element={<Unauthorized />} />
</Routes>
</Router>
);
};
export default App;Imagine an application with three roles: Admin, Manager, and Employee.
▪️Admin: Can manage users, view reports, and modify permissions.
▪️Manager: Can view reports but cannot modify permissions.
▪️Employee: Can access only the dashboard.
If an Admin updates the Manager’s permissions to include “users.manage”, the Manager instantly gains access to that API and UI element, without requiring a code change.
▪️Use short-lived access tokens (e.g., 15 minutes) and refresh tokens.
▪️Store tokens securely (use HTTP-only cookies instead of local storage).
▪️Rate-limit authentication endpoints to prevent brute-force attacks.
▪️Implement logging & monitoring to track permission updates.
This dynamic RBAC system provides granular permission control, allowing real-time updates to user access. By separating concerns between the backend (authorization enforcement) and frontend (UI access control), we ensure a secure, scalable, and maintainable authentication and authorization model.
The team at Mindbowser was highly professional, patient, and collaborative throughout our engagement. They struck the right balance between offering guidance and taking direction, which made the development process smooth. Although our project wasn’t related to healthcare, we clearly benefited...
Founder, Texas Ranch Security
Mindbowser played a crucial role in helping us bring everything together into a unified, cohesive product. Their commitment to industry-standard coding practices made an enormous difference, allowing developers to seamlessly transition in and out of the project without any confusion....
CEO, MarketsAI
I'm thrilled to be partnering with Mindbowser on our journey with TravelRite. The collaboration has been exceptional, and I’m truly grateful for the dedication and expertise the team has brought to the development process. Their commitment to our mission is...
Founder & CEO, TravelRite
The Mindbowser team's professionalism consistently impressed me. Their commitment to quality shone through in every aspect of the project. They truly went the extra mile, ensuring they understood our needs perfectly and were always willing to invest the time to...
CTO, New Day Therapeutics
I collaborated with Mindbowser for several years on a complex SaaS platform project. They took over a partially completed project and successfully transformed it into a fully functional and robust platform. Throughout the entire process, the quality of their work...
President, E.B. Carlson
Mindbowser and team are professional, talented and very responsive. They got us through a challenging situation with our IOT product successfully. They will be our go to dev team going forward.
Founder, Cascada
Amazing team to work with. Very responsive and very skilled in both front and backend engineering. Looking forward to our next project together.
Co-Founder, Emerge
The team is great to work with. Very professional, on task, and efficient.
Founder, PeriopMD
I can not express enough how pleased we are with the whole team. From the first call and meeting, they took our vision and ran with it. Communication was easy and everyone was flexible to our schedule. I’m excited to...
Founder, Seeke
We had very close go live timeline and Mindbowser team got us live a month before.
CEO, BuyNow WorldWide
If you want a team of great developers, I recommend them for the next project.
Founder, Teach Reach
Mindbowser built both iOS and Android apps for Mindworks, that have stood the test of time. 5 years later they still function quite beautifully. Their team always met their objectives and I'm very happy with the end result. Thank you!
Founder, Mindworks
Mindbowser has delivered a much better quality product than our previous tech vendors. Our product is stable and passed Well Architected Framework Review from AWS.
CEO, PurpleAnt
I am happy to share that we got USD 10k in cloud credits courtesy of our friends at Mindbowser. Thank you Pravin and Ayush, this means a lot to us.
CTO, Shortlist
Mindbowser is one of the reasons that our app is successful. These guys have been a great team.
Founder & CEO, MangoMirror
Kudos for all your hard work and diligence on the Telehealth platform project. You made it possible.
CEO, ThriveHealth
Mindbowser helped us build an awesome iOS app to bring balance to people’s lives.
CEO, SMILINGMIND
They were a very responsive team! Extremely easy to communicate and work with!
Founder & CEO, TotTech
We’ve had very little-to-no hiccups at all—it’s been a really pleasurable experience.
Co-Founder, TEAM8s
Mindbowser was very helpful with explaining the development process and started quickly on the project.
Executive Director of Product Development, Innovation Lab
The greatest benefit we got from Mindbowser is the expertise. Their team has developed apps in all different industries with all types of social proofs.
Co-Founder, Vesica
Mindbowser is professional, efficient and thorough.
Consultant, XPRIZE
Very committed, they create beautiful apps and are very benevolent. They have brilliant Ideas.
Founder, S.T.A.R.S of Wellness
Mindbowser was great; they listened to us a lot and helped us hone in on the actual idea of the app. They had put together fantastic wireframes for us.
Co-Founder, Flat Earth
Ayush was responsive and paired me with the best team member possible, to complete my complex vision and project. Could not be happier.
Founder, Child Life On Call
The team from Mindbowser stayed on task, asked the right questions, and completed the required tasks in a timely fashion! Strong work team!
CEO, SDOH2Health LLC
Mindbowser was easy to work with and hit the ground running, immediately feeling like part of our team.
CEO, Stealth Startup
Mindbowser was an excellent partner in developing my fitness app. They were patient, attentive, & understood my business needs. The end product exceeded my expectations. Thrilled to share it globally.
Owner, Phalanx
Mindbowser's expertise in tech, process & mobile development made them our choice for our app. The team was dedicated to the process & delivered high-quality features on time. They also gave valuable industry advice. Highly recommend them for app development...
Co-Founder, Fox&Fork
