Week 2: Auth & Access Control — Nov 2 – 8, 2024

TL;DR: secure login system, refresh tokens, and a full role-based permissions are live. Every API endpoint now knows who you are and what you can do.

Highlights This Week

• Implemented secure login system with access + refresh token flow
• Built a role-based access control (role-based permissions) system with 6 default roles
• Added auth middleware that protects every route

Authentication Architecture

We implemented a dual-token strategy: short-lived access tokens (15 min) for API calls and long-lived refresh tokens (7 days) stored securely. The refresh flow is transparent to the frontend — when a 401 hits, the client automatically rotates tokens without user interruption.

How It Works

Login returns both tokens. The access token is stored in memory (never localStorage) and attached to every API call via an Axios interceptor. The refresh token lives in an httpOnly cookie. On expiry, a background refresh happens seamlessly.

Role-Based Access Control

Six roles out of the box: Owner, Manager, Dispatcher, Technician, Accountant, and Viewer. Each role maps to a permission set covering CRUD operations across all modules. The permission check is a simple hasPermission('jobs:create') call available everywhere — middleware, components, and services.

What’s Next

Building the core database services for customers, properties, and jobs.