Stats
Actions
Tags
From full-stack-auth
Implements server-side RBAC and permission checks by validating and decoding access tokens, extracting roles/permissions, and enforcing them with middleware/decorators at route boundaries. Use when building authorization around Scalekit tokens that embed roles and permissions.
How this skill is triggered — by the user, by Claude, or both
Slash command
/full-stack-auth:implementing-access-controlThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this Skill after authentication is working and the app must authorize access to routes/actions by inspecting the user's access token for `roles` and `permissions`.
Use this Skill after authentication is working and the app must authorize access to routes/actions by inspecting the user's access token for roles and permissions.
Scalekit can embed these authorization details in the access token during the authentication flow, so the app can make decisions without extra API calls.
Always validate the token's integrity before trusting any embedded roles/permissions.
sub, oid, roles, and permissions.req.user = { id, organizationId, roles, permissions }) so downstream handlers can authorize consistently.resource:action).Validate+extract, then RBAC/PBAC guards.
// validate + extract
const validateAndExtractAuth = async (req, res, next) => {
try {
const accessToken = decrypt(req.cookies.accessToken); // if encrypted
const isValid = await scalekit.validateAccessToken(accessToken);
if (!isValid) return res.status(401).json({ error: "Invalid or expired token" });
const tokenData = await dessToken(accessToken); // JWT decode library
req.user = {
id: tokenData.sub,
organizationId: tokenData.oid,
roles: tokenData.roles || [],
permissions: tokenData.permissions || []
};
next();
} catch {
return res.status(401).json({ error: "Authentication failed" });
}
};
// RBAC
const hasRole = (user, role) => user.roles?.includes(role);
const requireRole = (role) => (req, res, next) =>
hasRole(req.user, role) ? next() : res.status(403).json({ error: `Access denied. Required role: ${role}` });
// PBAC
const hasPermission = (user, perm) => user.permissions?.includes(perm);
const requirePermission = (perm) => (req, res, next) =>
hasPermission(req.user, perm) ? next() : res.status(403).json({ error: `Access denied. Required permission: ${perm}` });
// usage
app.get("/api/projects", validateAndExtractAuth, requirePermission("projects:read"), handler);
app.get("/api/admin/users", validateAndExtractAuth, requireRole("admin"), handler);
Validate+extract, then RBAC/PBAC decorators.
from functools import wraps
def validate_and_extract_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
access_token = decrypt(request.cookies.get("accessToken"))
if not scalekit_client.validate_access_token(access_token):
return jsonify({"error": "Invalid or expired token"}), 401
token_data = scalekit_client.decode_access_token(access_token)
request.user = {
"id": token_data.get("sub"),
"organization_id": token_data.get("oid"),
"roles": token_data.get("roles", []),
"permissions": token_data.get("permissions", []),
}
return f(*args, **kwargs)
return decorated
def require_role(role):
def decorator(f):
@wraps(f)
def decorated(*args, **kwargs):
if role not in getattr(request, "user", {}).get("roles", []):
return jsonify({"error": f"Access denied. Required role: {role}"}), 403
return f(*args, **kwargs)
return decorated
return decorator
def require_permission(permission):
def decorator(f):
@wraps(f)
def decorated(*args, **kwargs):
if permission not in getattr(request, "user", {}).get("permissions", []):
return jsonify({"error": f"Access denied. Required permission: {permission}"}), 403
return f(*args, **kwargs)
return decorated
return decorator
Prefer roles for broad tiers (admin/manager/member) and permissions for granular actions like projects:create or tasks:assign.
Common patterns include "admin bypass" (admins skip some permission checks) and "resource ownership" (user can edit only their own resource unless elevated).
Avoid building authorization solely in the frontend because it can be bypassed.
roles and permissions are normalizeays and attached to request context.requireRole(...) and/or requirePermission(...) at the boundary.resource:action convention.npx claudepluginhub scalekit-inc/claude-code-authstack --plugin full-stack-authEnforces deny-by-default authorization at every resource access point using RBAC or ABAC patterns. Use when implementing access control decisions for APIs, web apps, or services.
Implements Node.js RBAC with permissions, role inheritance, Express middleware; Python ABAC patterns and access control models. For admin dashboards, multi-tenant apps, authorization.
Implements auth patterns like JWT, OAuth2, sessions, and RBAC for securing APIs. Use for user auth, API protection, social login, or debugging security issues.