A standalone course · Catch up on this repo + interview prep

Authentication & Authorization, from newcomer to interview-ready

How this platform answers the two questions — "who are you?" and "what may you do?" — from a JWT in the metadata to a tenant-isolated row in Postgres.

Every request that reaches your data passed through a gauntlet of gates: a JWT verified against a key set, a role check, a granular permission scoped to a slice of the location tree, and finally Row-Level Security in the database that filters rows by organization. This course walks that whole chain, grounded in the real code where it's defined — the auth interceptor, Shamir the token authority, rbacDecider, the permission/role model, access_paths, and the RLS policies. It's the most security-critical machinery in the repo, and among the most interviewable.

How to use this Do one lesson, take its quiz from memory (no peeking), then skim the matching row of the cheat sheet. Come back a day later and re-take it — spacing beats cramming. You know the rhythm by now. Stuck? Ask me — I'm your teacher, not just the author.
The spine — the gate sequence token → interceptor (verify + claims) → role gate → service check (ownership + permission/location) → repo → RLS (tenant + location). Every lesson is a stop on this line. Part 1 is authentication; Parts 2–3 are the three tiers of authorization.

Part 1 — Authentication: who are you? available now

The token, where it comes from, and how every request proves identity.

1 · The two questions & the map

authN vs authZ, the gate sequence, and the three tiers of authorization.

ready

2 · The JWT & its claims

The token format and the Manabie claim that carries identity + tenant.

ready

3 · Shamir — the token authority

Login → exchange → mint, and the JWKS every service verifies against.

ready

4 · The auth interceptor

Verify on every RPC, set the claims, and the two bypass lists.

ready

Part 2 — Authorization: roles, permissions, locations available now

The three-tier "what may you do?" — from a coarse role to a permission scoped to a place.

5 · RBAC — the role gate

rbacDecider semantics (and the startup-panic myth), the role list.

ready

6 · The granular permission model

permission → role → user_group → user, and the granted_permissions view.

ready

7 · Locations & access_paths

The location tree, the materialized path, and subtree scoping.

ready

8 · Scoped authorization in action

Resolving a permission to granted locations; the LocationRestricted gate.

ready

Part 3 — Row-Level Security & the whole chain available now

The last gate — tenancy in the database — and the full request traced through all of them.

9 · RLS & multi-tenancy

resource_path, setPostgres, permission_check, FORCE RLS.

ready

10 · Location-aware RLS policies

Tenant + app.user_id + granted permissions, enforced in the DB.

ready

11 · Defense in depth — the full trace

One request through every gate; what each layer catches that others miss.

ready

12 · rls_scan, service-to-service & recap

The drift scanner, faked JWTs, the surprises — and the whole-course recap.

ready

Reference shelf

Cheat sheet

The gate sequence, the join chain, RLS functions + interview one-liners.

Glossary

The canonical vocabulary, mapped to interview terms.

Repo auth map

Ground truth: interceptor, Shamir, rbacDecider, permissions, locations, RLS — with file:line.

Resources

RFCs, OIDC, Postgres RLS, NIST RBAC, Firebase — high-trust sources only.

All 12 lessons are built — the course is complete. You can now trace any endpoint from a JWT in the metadata to a tenant-isolated row in Postgres, through every gate — and name what the repo really does (the rbac-panic myth, the two interceptor packages, the Shamir red-herring, the Hasura twin). The one thing left is a retention check — ask me to run a mock interview across the course (cold, no peeking) and I'll write the first learning records proving what stuck. Questions on any lesson? Ask me — that's what I'm here for.