A standalone course · Catch up on this repo + interview prep
Authentication & Authorization, from newcomer to interview-ready
How this platform answers the two questions — "who are you?" and "what may you do?" — from a JWT in the metadata to a tenant-isolated row in Postgres.
Every request that reaches your data passed through a gauntlet of gates: a JWT
verified against a key set, a role check, a granular permission
scoped to a slice of the location tree, and finally Row-Level
Security in the database that filters rows by organization. This course
walks that whole chain, grounded in the real code where it's defined — the auth interceptor,
Shamir the token authority, rbacDecider, the permission/role model,
access_paths, and the RLS policies. It's the most security-critical machinery in the
repo, and among the most interviewable.
Part 1 — Authentication: who are you? available now
The token, where it comes from, and how every request proves identity.
1 · The two questions & the map
authN vs authZ, the gate sequence, and the three tiers of authorization.
ready2 · The JWT & its claims
The token format and the Manabie claim that carries identity + tenant.
3 · Shamir — the token authority
Login → exchange → mint, and the JWKS every service verifies against.
ready4 · The auth interceptor
Verify on every RPC, set the claims, and the two bypass lists.
readyPart 2 — Authorization: roles, permissions, locations available now
The three-tier "what may you do?" — from a coarse role to a permission scoped to a place.
5 · RBAC — the role gate
rbacDecider semantics (and the startup-panic myth), the role list.
6 · The granular permission model
permission → role → user_group → user, and the granted_permissions view.
7 · Locations & access_paths
The location tree, the materialized path, and subtree scoping.
ready8 · Scoped authorization in action
Resolving a permission to granted locations; the LocationRestricted gate.
Part 3 — Row-Level Security & the whole chain available now
The last gate — tenancy in the database — and the full request traced through all of them.
9 · RLS & multi-tenancy
resource_path, setPostgres, permission_check, FORCE RLS.
10 · Location-aware RLS policies
Tenant + app.user_id + granted permissions, enforced in the DB.
11 · Defense in depth — the full trace
One request through every gate; what each layer catches that others miss.
ready12 · rls_scan, service-to-service & recap
The drift scanner, faked JWTs, the surprises — and the whole-course recap.
readyReference shelf
Cheat sheet
The gate sequence, the join chain, RLS functions + interview one-liners.
Glossary
The canonical vocabulary, mapped to interview terms.
Repo auth map
Ground truth: interceptor, Shamir, rbacDecider, permissions, locations, RLS — with file:line.
Resources
RFCs, OIDC, Postgres RLS, NIST RBAC, Firebase — high-trust sources only.