This implementation provides a comprehensive RBAC system for the Vesting Vault backend, preventing internal privilege escalation and ensuring granular access control.
- SuperAdmin - Full system control
- FinanceManager - Withdrawal/Revenue operations only
- HRManager - Onboarding/Metadata management only
- ReadOnlyAuditor - Read-only audit access
- JWT-based authentication with signed claims
- Granular permission system
- Endpoint-level access control
- Automatic audit logging with role tracking
- Prevention of internal privilege escalation
{
"id": "user-id",
"email": "user@example.com",
"role": "finance_manager",
"iat": 1234567890,
"exp": 1234654290
}POST /api/auth/token/generate- Generate JWT tokenGET /api/auth/token/verify- Verify current tokenGET /api/auth/roles- List available rolesGET /api/auth/permissions/:role- Get role permissionsGET /api/auth/test-access- Test current user access
GET /api/audit/*- Audit endpoints (role-based access)POST /api/vesting/cliff-date- Modify vesting (SuperAdmin only)POST /api/vesting/beneficiary- Modify vesting (SuperAdmin only)POST /api/admin/action- Admin actions (SuperAdmin only)
- ✅ Full system control
- ✅ Modify vesting schedules
- ✅ Manage all operations
- ✅ Access all audit functions
- ✅ View vesting schedules
- ✅ Initiate/approve withdrawals
- ✅ Manage revenue
- ✅ View audit logs
- ❌ Modify vesting schedules
- ❌ User onboarding
- ✅ View vesting schedules
- ✅ Onboard users
- ✅ Manage user metadata
- ✅ View audit logs
- ❌ Modify vesting schedules
- ❌ Financial operations
- ✅ View vesting schedules
- ✅ View audit logs
- ✅ Export audit logs
- ✅ Verify integrity
- ❌ Any modifications
- ❌ Financial operations
curl -X POST "http://localhost:3000/api/auth/token/generate" \
-H "Content-Type: application/json" \
-d '{
"id": "hr-manager-1",
"email": "hr@company.com",
"role": "hr_manager"
}'curl "http://localhost:3000/api/audit/history" \
-H "Authorization: Bearer <finance-manager-token>"curl -X POST "http://localhost:3000/api/vesting/cliff-date" \
-H "Authorization: Bearer <hr-manager-token>" \
-H "Content-Type: application/json" \
-d '{
"beneficiaryId": "test-123",
"previousCliffDate": "2024-01-01",
"newCliffDate": "2024-06-01"
}'
# Response: 403 Forbidden - Insufficient privileges- Authentication - Validate JWT token
- Claims Validation - Verify required claims present
- RBAC Check - Validate role-based endpoint access
- Audit Logging - Log action with role information
- All API requests validated against signed JWT claims
- Role hierarchy enforced at middleware level
- Audit logs track user ID and role for all actions
- No bypass mechanisms for role validation
- All audit entries now include:
- User role (
userRole) - User ID (
userId) - Original request metadata
- Permission validation results
- User role (
# RBAC Configuration
JWT_SECRET=your-super-secret-jwt-key-change-in-production
JWT_EXPIRES_IN=24hComprehensive test suite covering:
- Token generation for all roles
- Permission validation
- Access control enforcement
- Unauthorized access prevention
- Role hierarchy verification
Run tests:
npm test- Prevents Internal Privilege Escalation - Junior employees cannot access founder-level functions
- Granular Access Control - Each role has exactly the permissions needed
- Audit Trail - All actions logged with role context
- JWT Security - Cryptographically signed claims prevent tampering
- Defense in Depth - Multiple validation layers
This implementation ensures that HR managers can view vesting schedules but cannot modify them, while maintaining comprehensive audit trails and preventing unauthorized access to critical system functions.