Access control is a fundamental security requirement for any enterprise SaaS platform. A naive approach involves checking strings in an array, which becomes slow and complex as permissions expand. Here's how to build a scalable and performant RBAC system.
1. Defining the Matrix
We map operations to integers or bitwise values:
typescript Code Block
const PERMISSIONS = {
READ_LEADS: 1 << 0, // 1
WRITE_LEADS: 1 << 1, // 2
DELETE_LEADS: 1 << 2, // 4
MANAGE_USERS: 1 << 3 // 8
};This allows roles to be defined as numeric sums (bitmasks). A manager who can read and write leads gets a score of 1 + 2 = 3 (binary 0011). An admin gets 15 (binary 1111).
2. Fast Permission Verification
Using bitwise AND (&) makes evaluation instantaneous:
typescript Code Block
function hasPermission(userRoleMask: number, requiredPermission: number): boolean {
return (userRoleMask & requiredPermission) === requiredPermission;
}
// Evaluation:
// 3 (Manager: 0011) & 2 (Write leads: 0010) === 2 -> true!
// 3 (Manager: 0011) & 8 (Manage users: 1000) === 8 -> false!3. Integrating Express.js Middleware
Create a reusable middleware:
typescript Code Block
export function requirePermission(permission: number) {
return async (req: Request, res: Response, next: NextFunction) => {
const userRoleMask = req.user?.roleMask;
if (!userRoleMask || !hasPermission(userRoleMask, permission)) {
return res.status(403).json({ error: 'Access Denied: Insufficient Permissions' });
}
next();
};
}This pattern keeps your endpoints highly secure and clean, optimizing route execution overhead.
