Step 18: Authorization

Authorization ensures the authenticated user only has access to resources permitted by their role (or access privileges). Therefore, it answers the question, "What is this authenticated client allowed to do?"

For the Roster API, we make the following assumptions:

  • Instructors can perform all operation on "user" resources
  • Students can only operate on their own account (user resource)

To that aim, we will add the user role to the authentication token. Update the auth.js file:

- const token = createToken({ user: { id: user.id } });
+ const token = createToken({ user: { id: user.id, role: user.role } });

Make sure to update the tests in auth.test.js accordingly!

Refer to the commit history to see the changes made at this step.