Stack Overflow: MERN Stack Authorization and Authentication

What you are looking for is called externalized / dynamic authorization management. The formal model is called Attribute-Based Access Control (abac / Wikipedia). It was formalized by the Nat’l Institute of Standards & Technology (NIST).

More in depth

You stated:

When user login then he will be able to create, edit and delete todo on his dashboard and no one will be able to see or edit that.

You need to write a policy using attributes that will allow users to do such things and prevent them from doing other things. If we rewrite your requirement, it becomes:

• A user can create, edit, and delete a TODO item on a dashboard they own.
• No one can see items on a dashboard they do not own.

Looking at the requirements, you realize you have:

• a subject (or user) with their attributes (e.g. role, department…)
• an action (e.g. view, edit, delete…)
• an object or resource (the “TODO” item) and its container (the dashboard).

This means you can start rewriting your requirement in terms of attributes. This becomes:

• A user can do action == "view" on object of type == "TODO" if user.username == object.dashboard.owner

You can then add:

• deny all access if object.dashboard.owner != user.username

The language to write such policies is called ALFA (alfa / Wikipedia, the abbreviated language for authorization. It’s a standard defined by OASIS XACML.

Once you’ve defined your policies, you’ll need to deploy them, run them, and enforce them. This is where the ABAC architecture kicks in:

• Policy Administration Point (PAP): where policies are written
• Policy Decision Point (PDP): where policies are run / executed
• Policy Enforcement Point (PEP): where policies are enforced – this could be an API gateway, an interceptor…
• Policy Information Point (PIP): where additional metadata & attributes can be retrieved

The question then becomes: where do you want to enforce? What does your MERN architecture look like? Do you want to authorize:

• in the web UI? (functional authZ)
• in the API layer (transactional authZ)
• in the data layer (data-centric authZ / filtering)

For instance, do you want to filter data from MongoDB and only show allowed results? Do you want to apply authorization on the API layer? API gateways (e.g. Kong) can help you achieve that with authorization plugins e.g. Axiomatics-Kong.

There are open-source and commercial ABAC implementations and a standards body too (I’m the editor of some of the specs such as the JSON/REST request/response)

• A Java Policy Enforcement Point in JSON/REST – open source
• AuthZForce – an open-source PDP
• Axiomatics – a commercial Attribute Based Access Control (ABAC) platform