rbac-authorization-patterns_skill

This skill helps you implement RBAC and multi-tenant authorization in a Go Echo backend, outlining roles, permissions, and JWT-based access control.
  • Go

3

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill linehaul-ai/linehaulai-claude-marketplace --skill rbac-authorization-patterns

  • SKILL.md20.7 KB

Overview

This skill provides practical RBAC and multi-tenant authorization patterns for laneweaverTMS, focused on a Go + Echo backend with Supabase/Postgres. It documents role/permission models, DB schema, JWT claims, Echo middleware, and RLS policy examples tailored for freight brokerage workflows. Use it to speed up secure, tenant-isolated access controls and consistent authorization behavior.

How this skill works

It defines a resource:action permission model and seed system roles (admin, dispatcher, sales, finance, driver, readonly). The skill shows core DB tables (roles, permissions, role_permissions, user_roles, account_users) and index guidance for RLS performance. It provides JWT claim structure and Echo middleware for authentication, tenant context, role checks, and permission checks, plus sample middleware chaining. Finally it includes account-based and role-aware RLS policy patterns to enforce tenant isolation at the database level.

When to use it

  • Designing user roles and permissions for freight brokerage operations
  • Implementing Echo middleware for JWT auth, role, and permission checks
  • Setting up account-based multi-tenant isolation and RLS policies
  • Defining JWT claims to carry account, role, and optional permission data
  • Choosing HTTP status codes and failure behaviors for auth flows

Best practices

  • Keep permissions in resource:action format (e.g., loads:read, invoices:approve) to simplify checks
  • Seed system roles and maintain role_permission mappings in DB; cache mappings or include permissions in JWT for performance
  • Enforce TenantContext after authentication to fail fast on missing tenant info
  • Layer middleware: Auth -> Tenant -> Role -> Permission to minimize unnecessary DB work
  • Use RLS for row-level tenant isolation and combine with role checks for least privilege

Example use cases

  • Protect /api/v1/loads endpoints: allow read to readonly/dispatcher/admin and limit writes to dispatcher/admin
  • Issue JWTs with account_id and roles so handlers and RLS can enforce tenant scoping without extra queries
  • Seed roles and permissions during deployment, then map users to roles per account in user_roles
  • Create RLS policies on loads/customers/invoices so queries automatically filter to the caller’s accounts
  • Implement RequirePermission middleware that checks JWT permissions first, then falls back to cached role-permission mapping

FAQ

Include minimal derived permissions in JWT for performance, but keep the canonical mapping in the DB so you can update roles centrally and rotate tokens as needed.

How to handle cross-account users (agents supporting multiple accounts)?

Use user_roles and account_users junction tables to assign roles per account; include active account_id in JWT context or require account selection at login/switch time.

What HTTP status codes should middleware return on failures?

Use 401 for missing/invalid authentication, 403 for missing tenant or insufficient roles/permissions, and 404 only when hiding resource existence for authorization reasons.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational