What Is Authorization?
Authorization determines what an authenticated user is allowed to do — which resources they can access and what actions they can perform. After login (authentication), authorization checks permissions: can this user edit this document? Can they access the admin panel?
How Authorization Works
Common patterns: Role-Based Access Control (RBAC) assigns roles (admin, editor, viewer) with predefined permissions. Attribute-Based Access Control (ABAC) uses policies based on user attributes, resource properties, and context. Row-level security in PostgreSQL enforces authorization at the database level.
Key Concepts
- RBAC — Role-Based Access Control — assign roles (admin, user, editor) with specific permissions
- ABAC — Attribute-Based Access Control — policies based on user attributes, resource properties, and context
- Middleware — Authorization checks run as middleware — intercept requests before reaching route handlers
Frequently Asked Questions
How do I implement authorization?
Start with RBAC for simple apps. Store roles in the database, check permissions in middleware. For complex needs, use libraries like CASL (JavaScript) or Casbin, or services like Auth0/WorkOS.