Role-Based Access Control in Node.js: Beyond Simple Middleware

Here's the article body markdown: You've shipped your auth. Login works. JWT tokens fly around. Then someone asks: "Can editors publish but not delete?" and your beautiful `if (user.role === 'admin')` castle crumbles. Let's build RBAC that actually scales. ## The Problem with Role Checks This is what most tutorials teach: typescript app.delete('/posts/:id', (req, res) => { if (req.user.role !== 'admin') { return res.status(403).json({ error: 'Forbidden' }); } // delete post }); Three months later you have `admin`, `editor`, `moderator`, `super_admin`, and `content_lead`. Every route is a mess of `||` chains. Adding a role means touching dozens of files. You're checking *who someone is*, not *what they can do*. The fix: **check permissions, not roles.** ## The Data Model Three tables. That's it. sql CREATE TABLE roles ( id SERIAL PRIMARY KEY, name VARCHAR(50) UNIQUE NOT NULL, parent_id INTEGER REFERENCES roles(id) -- for hierarchy ); CREATE TABLE permissions ( id SERIAL PRIMARY KEY, res