AUTHORIZATION PATTERNS AND ACCESS CONTROL | VIBEEVAL

Authorization Must Be Checked on Every Request

AI-generated code often performs authentication once at login but skips authorization checks on individual resource access. Just because a user is logged in does not mean they have permission to access every resource. Every API endpoint must verify the user has permission to perform the requested operation on the specific resource.

Authorization Implementation Checklist

Follow these 12 steps to properly implement authorization. Critical items must be verified on every API endpoint that accesses user data.

Verify ownership on every request

Check that the authenticated user owns or has permission to access the requested resource. Never trust client-provided resource IDs without verification.

Implement role-based access control (RBAC)

Define roles (admin, user, moderator) with specific permissions. Check user role before allowing access to administrative or privileged operations.

Use deny-by-default policies

Start with no access and explicitly grant permissions. Require authorization checks for all protected resources, not just sensitive ones.

Separate read and write permissions

Users who can view data may not be allowed to modify it. Implement separate authorization checks for read, create, update, and delete operations.

Validate permissions server-side

Never rely on client-side permission checks or hidden UI elements. All authorization logic must execute on the backend before data access.

Implement resource-level permissions

Some resources require granular access control. Allow users to share specific documents, projects, or records with collaborators.

Use permission scoping for API tokens

API keys and tokens should have limited scope. Allow read-only tokens, resource-specific tokens, or time-limited access tokens.

Implement hierarchical permissions

Organize permissions in hierarchies. Admin inherits moderator permissions, moderator inherits user permissions.

Add permission inheritance for teams

Users inherit permissions from team or organization membership. Workspace admins can manage resources within their workspace.

Log authorization failures

Record when users attempt to access resources without permission. Monitor for privilege escalation attempts or access pattern anomalies.

Implement permission caching carefully

Cache permissions to improve performance but invalidate cache when roles or permissions change to prevent stale access grants.

Audit permission changes

Log when users are granted or revoked permissions, role assignments change, or access policies are modified for compliance and security review.

Common Authorization Vulnerabilities

Insecure Direct Object References

API accepts resource IDs without verifying user has access, allowing users to view or modify others’ data by guessing IDs

Client-Side Authorization Checks

UI hides buttons or links based on permissions but backend accepts requests from unauthorized users

Missing Authorization on Updates

Authentication checked on reads but not on updates or deletes, allowing unauthorized modifications

Role Confusion in Authorization

User role stored in JWT token but not revalidated on server, allowing users to modify their own role claims

Related Resources

Authentication Implementation

Implementing secure authentication

API Security Guide

Protecting API endpoints

Supabase RLS Guide

Row Level Security implementation

Firebase Security Rules

Firestore authorization rules

Test Your Authorization Logic

VibeEval automatically tests authorization by attempting to access resources as different users, testing privilege escalation, and identifying missing authorization checks across your API endpoints.