Scenario
Assume that you are building an application for a hypothetical store chain. Each user of this application is assigned a role, and each role has a defined set of activities that it can perform (technically the API that it can access). Let say this store has the following roles and activities. (Note: this is part our in a series on JWTs security best-practices, parts one, two, and three can be found here, here, and here, respectively.)
- Admin
- Can add new stores.
- Can add new users and assign roles to them (store admin and store user).
- Store Manager
- Can add new products to the store.
- Can remove products from the store.
- Can update product details.
- User
- Can view his/her detail.
- Can view all products.
- Can view a product using product id.
- Can get all products from a store.
Environment
We will be implementing authentication with the following tools: