This guide demonstrates how to test the RBAC system functionality.
Before testing, ensure:
- MongoDB is running on
localhost:27017 - Environment variables are configured (
.envfile) - Application dependencies are installed (
npm install)
Run the RBAC seeder to create default roles and permissions:
npm run seed:rbacExpected output:
🌱 Seeding RBAC data...
Creating permissions...
✓ Created permission: create users (system)
✓ Created permission: read users (system)
...
Creating roles...
✓ Created role: super_admin
✓ Created role: organization_admin
✓ Created role: store_owner
✓ Created role: store_manager
✓ Created role: staff
✅ RBAC seeding completed successfully!
npm run start:devThe API will be available at http://localhost:3000
Open your browser and navigate to:
http://localhost:3000/api
You'll see all RBAC endpoints with:
- Interactive API testing
- Request/response schemas
- Authorization requirements
- Role and permission details
Request:
curl -X POST http://localhost:3000/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "admin@example.com",
"password": "Admin123!",
"firstName": "Admin",
"lastName": "User"
}'Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"user": {
"id": "507f1f77bcf86cd799439011",
"email": "admin@example.com",
"firstName": "Admin",
"lastName": "User",
"role": "user",
"roles": []
}
}Save the access_token for subsequent requests.
Request:
curl -X GET http://localhost:3000/roles \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Response:
[
{
"_id": "...",
"name": "super_admin",
"description": "System administrator with full access to all resources",
"scope": "system",
"permissions": [...],
"isSystemRole": true,
"isActive": true
},
...
]First, you need to assign super_admin role to your user, then:
Request:
curl -X POST http://localhost:3000/organizations \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "ACME Corporation",
"description": "Leading retail company"
}'Response:
{
"_id": "507f1f77bcf86cd799439012",
"name": "ACME Corporation",
"description": "Leading retail company",
"isActive": true,
"createdAt": "2024-01-01T00:00:00.000Z",
"updatedAt": "2024-01-01T00:00:00.000Z"
}Request:
curl -X POST http://localhost:3000/stores \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Downtown Store",
"organizationId": "507f1f77bcf86cd799439012",
"address": "123 Main St",
"phone": "+1234567890"
}'Assign the store_manager role to a user for a specific store:
Request:
curl -X POST http://localhost:3000/user-roles/assign \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"userId": "507f1f77bcf86cd799439011",
"roleId": "STORE_MANAGER_ROLE_ID",
"scope": "store",
"scopeId": "STORE_ID"
}'Request:
curl -X GET "http://localhost:3000/user-roles/me/permissions?storeId=STORE_ID" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Response:
{
"roles": ["store_manager"],
"permissions": [
"orders:create",
"orders:read",
"orders:update",
"products:create",
"products:read",
"products:update",
"categories:create",
"categories:read",
"categories:update"
],
"userRoles": [...]
}Create an order with store context:
Request:
curl -X POST http://localhost:3000/orders \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "x-store-id: STORE_ID" \
-H "Content-Type: application/json" \
-d '{
"items": [
{
"productId": "PRODUCT_ID",
"quantity": 2,
"price": 29.99
}
]
}'The x-store-id header sets the store context for permission evaluation.
Try accessing an endpoint without proper role:
Request:
curl -X DELETE http://localhost:3000/organizations/SOME_ID \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Expected Response (403 Forbidden):
{
"statusCode": 403,
"message": "Access denied. Required roles: super_admin",
"error": "Forbidden"
}- Create organizations, stores, roles, permissions
- Full access to all resources
- Manage all stores within their organization
- Assign roles to users within organization
- Cannot modify system-level settings
- Full control over specific store
- Manage products, orders, and staff
- Cannot access other stores
- Manage products and orders
- Cannot delete resources
- Cannot manage users
- Create and view orders
- View products
- Limited access
Run the unit tests:
npm testAll 15 tests should pass:
Test Suites: 10 passed, 10 total
Tests: 15 passed, 15 total
- Create 2 stores
- Assign user as store_manager in Store A
- Assign user as staff in Store B
- Test access with different x-store-id headers
- Create custom role with specific permissions
- Assign to user
- Verify user can only perform allowed actions
- Add permission to role
- Verify users with that role gain new permission
- Remove permission and verify access is revoked
- Assign organization-level role
- Verify access to all stores in organization
- Compare with store-level role access
Solution: Ensure Authorization header includes valid JWT token
Solution:
- Check user's roles:
GET /user-roles/me/permissions - Assign appropriate role:
POST /user-roles/assign
Solution: Seeder has already run. This is normal.
Solution: Include x-store-id header in request
For production deployments, consider:
- Load Testing: Test with concurrent users
- Permission Caching: Implement Redis for permission lookups
- Database Indexing: Ensure indexes on userId, roleId, scope fields
- JWT Optimization: Monitor token size with many roles
Verify:
- ✅ JWT tokens expire correctly
- ✅ Revoked roles deny access immediately
- ✅ System roles cannot be deleted
- ✅ Cross-store access is blocked
- ✅ Permissions are scope-aware
The RBAC system provides comprehensive access control with:
- 🎭 5 default roles
- 🔐 Fine-grained permissions
- 🏪 Multi-store support
- 🔄 Dynamic role assignment
- 📊 Complete audit trail
For detailed API reference, see RBAC_GUIDE.md