This project is a Role Based Access Control (RBAC) system built using the MERN stack. It controls what actions a user can perform based on their assigned role and permissions.
Users must authenticate using login credentials. After login, access to features such as creating posts, editing posts, deleting posts, managing users, and viewing audit logs depends on the user’s role.
Roles used in this project:
- Admin → Full access
- Editor → Can create, update, delete own posts
- Viewer → Can only read posts
The project demonstrates real-world security concepts like authentication, authorization, RBAC, ownership-based access, and audit logging.
Frontend:
- React.js
- React Router
- Axios
- Context API
- Custom Hooks
Backend:
- Node.js
- Express.js
- Express Router
- JWT (JSON Web Token)
- bcrypt
- Joi
Database:
- MongoDB
- Mongoose
Security & Utilities:
- Helmet
- CORS
- express-rate-limit
- dotenv
- Audit Logging
DevOps & Tools:
- Docker
- Dockerfile
- docker-compose
- Postman
- User authentication using JWT
- Secure password hashing using bcrypt
- Role Based Access Control (RBAC)
- Permission-based authorization
- Ownership-based access control
- Admin panel for managing users and roles
- Audit logs for tracking user activities
- Protected frontend routes
- Role-based UI rendering
- RESTful API design
- Dockerized backend
- API testing with Postman
- User logs in using email and password
- Backend verifies credentials and generates a JWT token
- Token, role, and permissions are sent to the frontend
- Frontend stores authentication data using AuthContext
- Protected routes allow only authenticated users
- Every API request passes through authentication middleware
- RBAC middleware checks role and permissions
- Editors can modify only their own posts
- Admins can manage users and view audit logs
- Every important action is recorded in AuditLog collection
- JWT based authentication
- Difference between authentication and authorization
- Implementing RBAC in real applications
- Writing custom middleware in Express
- MongoDB schemas and Mongoose models
- Securing APIs using Helmet, CORS, and rate limiting
- Managing global state using React Context
- Connecting frontend and backend using REST APIs
- Using Docker for backend containerization
- API testing using Postman
- Improved understanding of full-stack development
- Learned backend security concepts
- Gained confidence in building secure systems
- Improved problem-solving and debugging skills
- Learned real-world access control implementation
- Better understanding of project structure and architecture
- Dynamic role and permission management
- Refresh tokens for JWT
- Two-factor authentication (2FA)
- Pagination and search features
- Improved UI/UX
- Email notifications for security events
- Exportable audit logs
- Cloud deployment
- Better error handling and logging
git clone https://github.com/your-username/rbac-project.git cd rbac-project
cd server npm install
Create a .env file inside the server folder and add:
PORT=5000 MONGO_URI=your_mongodb_connection_string JWT_SECRET=your_secret_key
Start the backend server: npm start
Backend runs at: http://localhost:5000
This creates default users and sample posts.
npm run seed
cd ../client npm install npm start
Frontend runs at: http://localhost:3000
Admin: Email: admin@example.com Password: password123
Editor: Email: editor@example.com Password: password123
Viewer: Email: viewer@example.com Password: password123
Use Postman to test APIs like:
- POST /auth/login
- GET /posts
- POST /posts
- PATCH /admin/users/:id/role
This RBAC project demonstrates a secure and scalable access control system using modern web technologies. It combines authentication, authorization, role-based UI control, and audit logging, making it suitable for real-world enterprise applications.