RBAC Middleware
Component Detail
Infrastructure
high complexity
backend
2
Dependencies
0
Dependents
19
Entities
0
Integrations
Description
Next.js API route middleware that validates JWT role claims on every protected endpoint and enforces minimum required roles server-side. Maintains a token denylist to support immediate privilege revocation, ensuring that role changes take effect before the next natural token expiry cycle.
rbac-middleware
Responsibilities
- Intercept all protected API requests and validate the JWT bearer token signature and expiry
- Extract and verify role claims embedded in the JWT payload
- Enforce minimum required role per API route, returning structured 403 responses on failure
- Consult the server-side token denylist to block revoked tokens immediately
- Log authorization failures to the audit trail for security monitoring
Interfaces
withRbac(handler: NextApiHandler, requiredRole: UserRole) -> NextApiHandler
validateJwtClaims(token: String) -> JwtClaims | null
isTokenRevoked(jti: String) -> bool
denylistToken(jti: String, expiresAt: Date) -> void
extractBearerToken(req: NextApiRequest) -> String | null
Relationships
Dependencies (2)
Components this component depends on
Related Data Entities (19)
Data entities managed by this component
Activity
25 fields
core
Activity Type
16 fields
configuration
Assignment
20 fields
core
Attachment
14 fields
core
Audit Log
17 fields
audit
Contact
29 fields
core
Contact Caregiver
13 fields
core
Course
23 fields
core
Event
17 fields
core
Event Registration
14 fields
core
Expense Type
19 fields
configuration
Local Association
16 fields
core
Note
16 fields
core
Notification
21 fields
core
Organization
22 fields
core
Role
14 fields
configuration
Session
19 fields
core
User
26 fields
core
User Role
15 fields
core