Skip to content
Node2Know

Introduction to Access Control

Beyond the Front Door

Section titled “Beyond the Front Door”

In the previous module, we successfully deployed an “Admin Door” by implementing Authentication with Passport.js. We have a robust system that stands at the entrance, diligently checking credentials and handing out authenticated session wristbands.

But right now, anyone holding a wristband is treated exactly the same. They can walk straight into the control room, unplug the servers, and remodel the database.

This introduces the catastrophic difference between Authentication (AuthN) and Authorization (AuthZ).

The Two Pillars of Identity

Section titled “The Two Pillars of Identity”
  • Authentication (AuthN) answers the question: “Who are you, and can you prove it?” Our Passport strategy and bcrypt hashing handle this perfectly.
  • Authorization (AuthZ) answers a vastly different question: “What are you allowed to do now that you are inside?”

Think of it like navigating an airport. Showing your passport and boarding pass to the TSA agent is Authentication. They verify you are who you claim to be, and they let you into the terminal.

However, just because you are in the terminal does not mean you are allowed to walk onto the tarmac, enter the air traffic control tower, or sit in the pilot’s seat. The badge scanners on those specific doors enforcing your capabilities represent Authorization.

Professor Solo: If you configure authentication but forget authorization, your architecture operates under the dangerous assumption that “Logged in” automatically equals “Root Administrator.” This is how entire databases get mysteriously wiped by the new intern on a Friday afternoon.

Learning Goals

Section titled “Learning Goals”

In this module, we will explore the theory and practical implementation of access control layers. By the end, we’ll be able to:

  • Articulate the critical architectural split between AuthN and AuthZ.
  • Understand the benefits of Role-Based architecture over localized Access Control Lists.
  • Define a strict, scalable set of roles tailored for a web application.
  • Architect granular middleware sequences enforcing access control across Express routes.
  • Hydrate UI templates with authorization context to intentionally hide sensitive controls from under-privileged users.

Extra Bits & Bytes

Section titled “Extra Bits & Bytes”

Starting point repo (continued from Auth with Passport repo)

⏭ Next: The RBAC Paradigm

Section titled “⏭ Next: The RBAC Paradigm”

Identity is established. Now let’s figure out how the industry scales assigning permissions to those identities.