Role Enforcement Fullstack

Covers the non-obvious parts of RBAC: keeping frontend and backend in sync without copy-pasting permission logic, and avoiding the traps that create false security or broken UX. Skips basic auth setup — assumes roles exist on the user object.

Discovery

Before writing anything, answer:

1. Permission model: Flat roles (admin, editor) or hierarchical (org:admin, project:viewer)?
2. Role source: JWT claims, database lookup per request, or a session object?
3. Shared code: Monorepo (can share a permissions module) or separate repos (must duplicate or use a package)?
4. Frontend framework: React, Vue, Next.js? (affects where guards live — middleware file vs component wrapper)
5. Backend: Express, Fastify, Next.js API routes, tRPC? (affects middleware shape)
6. Granularity needed: Route-level only, or field-level (hide specific data fields by role)?