How to implement role-based auth in Node.js

Łukasz Holeczek Follow Łukasz Holeczek on GitHub Connect with Łukasz Holeczek on LinkedIn Follow Łukasz Holeczek on X (Twitter)

Monday, December 1, 2025

#nodejs #authentication #authorization #roles #security

Role-based authentication provides granular access control in Node.js applications by assigning specific permissions to user roles for secure resource management. As the creator of CoreUI with extensive Node.js experience since 2014, I’ve implemented RBAC systems in numerous enterprise applications and admin dashboards. The most scalable approach combines JWT tokens with role information and middleware functions that verify both authentication and authorization. This pattern enables flexible permission management while maintaining clean separation between authentication and business logic.

Implement role-based middleware that checks both user authentication and role permissions for protected routes.

const jwt = require('jsonwebtoken')

// Role-based authorization middleware
function authorize(roles = []) {
  return (req, res, next) => {
    const token = req.headers['authorization']?.split(' ')[1]

    if (!token) {
      return res.status(401).json({ error: 'Access denied' })
    }

    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
      if (err) return res.status(403).json({ error: 'Invalid token' })

      if (roles.length && !roles.includes(decoded.role)) {
        return res.status(403).json({ error: 'Insufficient permissions' })
      }

      req.user = decoded
      next()
    })
  }
}

// Usage on routes
app.get('/admin/users', authorize(['admin']), (req, res) => {
  // Admin-only route
})

app.get('/api/profile', authorize(['user', 'admin']), (req, res) => {
  // User and admin access
})

This code creates a flexible authorization middleware that accepts an array of allowed roles. It verifies the JWT token and checks if the user’s role matches any of the permitted roles for the route. The middleware can be applied to any route with specific role requirements, enabling granular access control throughout your application.

Best Practice Note:

This is the authorization architecture we use in CoreUI backend services for enterprise role management. Consider implementing hierarchical roles and permission-based access control for more complex authorization scenarios in large applications.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

Angular

Bootstrap

React.js

Vue.js

About the Author

Follow Łukasz Holeczek on GitHub Connect with Łukasz Holeczek on LinkedIn Follow Łukasz Holeczek on X (Twitter)

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.