FrontendInterviews.dev

Authorization Best Practices

Easy•

Authorization ensures users can only access resources and perform actions they're permitted to. Proper authorization prevents privilege escalation and data breaches.

Quick Navigation: Authorization Patterns • Best Practices

Quick Decision Guide

Quick Implementation Guide:

RBAC Pattern: Users → Roles → Permissions 

const roles = { admin: ['read','write','delete'], editor: ['read','write'], viewer: ['read'] };
function can(user, action) { return roles[user.role]?.includes(action); }

Resource Ownership Check: Always verify user owns resource: 

if (post.authorId !== user.id && !can(user, 'delete')) return 403;

Server-Side Validation: NEVER trust client-side checks. Always validate permissions on server for every request.

Middleware Pattern: Create auth middleware: 

function requirePermission(action) {
  return (req, res, next) => {
    if (!can(req.user, action)) return res.status(403).json({ error: 'Forbidden' });
    next();
  };
}

Common Mistake: Assuming authenticated = authorized. Always check permissions, not just authentication.

Authorization Patterns

Principle of Least Privilege

Users should have minimum necessary permissions to perform their tasks.

Role-Based Access Control (RBAC)

Structure:

•Users → Roles → Permissions
•Roles: admin, editor, viewer
•Permissions: read, write, delete, manage

Implementation:

const roles = {
  admin: ['read', 'write', 'delete', 'manage'],
  editor: ['read', 'write'],
  viewer: ['read']
};

function checkPermission(user, resource, action) {
  const userPermissions = roles[user.role] || [];
  return userPermissions.includes(action);
}

Resource-Level Authorization

Check ownership:

•User can only access their own resources
•Compare user ID with resource owner ID
•Apply to all CRUD operations

Best Practices

Always Verify on Server

Never trust client-side checks:

•Client-side checks are for UX only
•Server must validate every request
•Assume client can be compromised

Fail Securely

Default to deny:

•If authorization check fails, deny access
•Don't expose why access was denied
•Log authorization failures for monitoring

Centralize Authorization Logic

Single source of truth:

•Create authorization middleware
•Reuse across endpoints
•Easier to maintain and audit

Key Takeaways

1Authorization is separate from authentication
2Always verify permissions on the server side
3Implement principle of least privilege
4Use RBAC for simple scenarios, ABAC for complex
5Check both role permissions and resource ownership
6Fail securely - default to deny access
Previous
Authentication Best Practices
Complete & Next
Cookie Security: SameSite, HttpOnly, Secure