{"id":47808941,"url":"https://github.com/arifnextdev/rbac-frontend","last_synced_at":"2026-04-03T18:01:14.438Z","repository":{"id":348199767,"uuid":"1196855270","full_name":"arifnextdev/rbac-frontend","owner":"arifnextdev","description":null,"archived":false,"fork":false,"pushed_at":"2026-03-31T07:54:42.000Z","size":42,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-31T08:48:40.031Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arifnextdev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-31T05:28:32.000Z","updated_at":"2026-03-31T07:54:45.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/arifnextdev/rbac-frontend","commit_stats":null,"previous_names":["arifnextdev/rbac-frontend"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/arifnextdev/rbac-frontend","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arifnextdev%2Frbac-frontend","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arifnextdev%2Frbac-frontend/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arifnextdev%2Frbac-frontend/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arifnextdev%2Frbac-frontend/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arifnextdev","download_url":"https://codeload.github.com/arifnextdev/rbac-frontend/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arifnextdev%2Frbac-frontend/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31368156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T17:53:18.093Z","status":"ssl_error","status_checked_at":"2026-04-03T17:53:17.617Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-03T18:01:11.591Z","updated_at":"2026-04-03T18:01:14.385Z","avatar_url":"https://github.com/arifnextdev.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Dynamic RBAC System\n\nA full-stack **Permission-Based Access Control** system with NestJS backend and Next.js frontend.\n\n## Project Overview\n\n| Component | URL / Repository |\n| ------------------ | -------------------------------------------- |\n| **Live Dashboard** | https://task.vsecommerce.cloud/dashboard |\n| **Frontend Repo** | https://github.com/arifnextdev/rbac-frontend |\n| **Backend Repo** | https://github.com/arifnextdev/rbac-backend |\n\n## Tech Stack\n\n| Layer | Technology |\n| -------- | -------------------------------------------- |\n| Frontend | Next.js 14 (App Router), TailwindCSS, Radix |\n| Backend | NestJS, Passport JWT, class-validator |\n| Database | PostgreSQL + Prisma ORM |\n| Auth | JWT access tokens + httpOnly refresh cookies |\n\n## Features\n\n- **Dynamic RBAC** — permissions are atomic; roles are just labels grouping permissions\n- **Grant Ceiling** — users can only assign permissions they themselves have\n- **JWT Auth** — 15-min access token (in memory) + 7-day refresh token (httpOnly cookie)\n- **Audit Logging** — append-only log of all significant actions\n- **Middleware Route Protection** — Next.js middleware checks auth cookie\n- **Dynamic Sidebar** — only shows links the user has permission to access\n- **Soft Delete** — entities use `deletedAt` timestamp, never hard-deleted\n\n## RBAC Architecture\n\n### Permission-Based vs Role-Based\n\nTraditional RBAC assigns permissions to roles, then assigns roles to users. This system uses **permission-based access control** where:\n\n1. **Permissions are atomic** — Each permission represents a single action (e.g., `view_users`, `manage_leads`)\n2. **Roles are labels** — Roles group permissions for convenience but don't directly grant access\n3. **Dynamic assignment** — Administrators can grant/revoke individual permissions per user\n\n### Grant Ceiling Enforcement\n\nUsers can only grant permissions they themselves possess. This security feature prevents privilege escalation.\n\n```\nAdmin (has: view_users, manage_users)\n └── Can grant: view_users, manage_users to Manager\n └── Manager (has: view_users, manage_users)\n └── Can grant: view_users, manage_users to Agent\n```\n\n### Permission Modules\n\n| Module | View | Manage |\n| --------- | ---------------- | ----------------- |\n| Users | `view_users` | `manage_users` |\n| Leads | `view_leads` | `manage_leads` |\n| Tasks | `view_tasks` | `manage_tasks` |\n| Reports | `view_reports` | `manage_reports` |\n| Audit | `view_audit` | — |\n| Settings | — | `manage_settings` |\n| Dashboard | `view_dashboard` | — |\n\n## Quick Start\n\n### Prerequisites\n\n- Node.js 18+\n- PostgreSQL running on `localhost:5432`\n- Database `rback_db` created\n\n### 1. Backend\n\n```bash\ncd backend\nnpm install\nnpx prisma migrate dev --name init\nnpx prisma db seed\nnpm run start:dev\n```\n\nBackend runs on **http://localhost:3001**\n\n### 2. Frontend\n\n```bash\ncd frontend\nnpm install\nnpm run dev\n```\n\nFrontend runs on **http://localhost:3000**\n\n### Demo Accounts\n\n| Role | Email | Password |\n| -------- | -------------------- | ------------ |\n| Admin | admin@example.com | Admin@123 |\n| Manager | manager@example.com | Manager@123 |\n| Agent | agent@example.com | Agent@123 |\n| Customer | customer@example.com | Customer@123 |\n\n## Project Structure\n\n```\nbackend/\n├── prisma/ # Schema \u0026 seed\n├── src/\n│ ├── auth/ # JWT auth, login, refresh, logout\n│ ├── users/ # User CRUD + permission assignment\n│ ├── permissions/ # Grant/revoke with ceiling enforcement\n│ ├── roles/ # Role listing\n│ ├── leads/ # Lead CRUD\n│ ├── tasks/ # Task CRUD\n│ ├── reports/ # Report CRUD\n│ ├── audit/ # Audit log viewing\n│ ├── prisma/ # Prisma module/service\n│ └── common/ # Guards, decorators\n\nfrontend/\n├── src/\n│ ├── app/\n│ │ ├── (dashboard)/ # Protected pages (layout with sidebar)\n│ │ ├── login/ # Login page\n│ │ └── 403/ # Forbidden page\n│ ├── components/ # Sidebar, route guard, UI components\n│ └── lib/ # API client, auth context, types\n```\n\n## API Endpoints\n\n| Method | Endpoint | Permission |\n| --------------------- | ------------------------- | ------------------- |\n| POST | /api/auth/login | Public |\n| POST | /api/auth/refresh | Public |\n| POST | /api/auth/logout | Authenticated |\n| GET | /api/auth/me | Authenticated |\n| GET | /api/users | view_users |\n| POST | /api/users | manage_users |\n| PATCH | /api/users/:id | manage_users |\n| DELETE | /api/users/:id | manage_users |\n| GET | /api/permissions | manage_permissions |\n| GET | /api/permissions/user/:id | manage_permissions |\n| POST | /api/permissions/grant | manage_permissions |\n| POST | /api/permissions/revoke | manage_permissions |\n| GET | /api/roles | manage_roles |\n| GET/POST/PATCH/DELETE | /api/leads | view/manage_leads |\n| GET/POST/PATCH/DELETE | /api/tasks | view/manage_tasks |\n| GET/POST/PATCH/DELETE | /api/reports | view/manage_reports |\n| GET | /api/audit | view_audit |\n\n## Environment Variables\n\n### Backend (.env)\n\n```env\n# Database\nDATABASE_URL=\"postgresql://username:password@localhost:5432/rback_db?schema=public\"\n\n# JWT\nJWT_SECRET=\"your-super-secret-jwt-key-change-in-production\"\nJWT_REFRESH_SECRET=\"your-super-secret-refresh-key-change-in-production\"\n\n# Server\nPORT=3001\nNODE_ENV=development\n```\n\n### Frontend (.env.local)\n\n```env\nNEXT_PUBLIC_API_URL=http://localhost:3001/api\n```\n\n## Deployment\n\n### Backend Deployment\n\n1. Set up PostgreSQL database\n2. Run migrations: `npx prisma migrate deploy`\n3. Seed database: `npx prisma db seed`\n4. Start production server: `npm run start:prod`\n\n### Frontend Deployment\n\n1. Build for production: `npm run build`\n2. Start production server: `npm start`\n\nOr deploy to Vercel:\n\n```bash\nvercel --prod\n```\n\n## Security Considerations\n\n- **JWT tokens**: Access tokens expire in 15 minutes, refresh tokens in 7 days\n- **Password hashing**: All passwords hashed with bcrypt\n- **SQL injection**: Protected by Prisma ORM parameterized queries\n- **XSS protection**: HttpOnly cookies prevent JavaScript access to tokens\n- **Rate limiting**: API endpoints protected by NestJS throttler\n\n## License\n\nMIT License - feel free to use this project for your own applications.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farifnextdev%2Frbac-frontend","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farifnextdev%2Frbac-frontend","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farifnextdev%2Frbac-frontend/lists"}