Learn React Authentication, Authorization, Identity & Permission/ACL
// Auth is not login. Part ini membangun mental model sistem auth React sebagai kombinasi identity, session, authorization, UI exposure control, dan server-side enforcement.
This overview is designed to help you choose the right entry point quickly. Follow the full track from lesson one, continue from your last checkpoint, or jump straight into a phase that matches what you need right now.
Curriculum Map
Navigate by phase, then choose the lesson that matches your current depth.
Auth Is Not Login
20 minAuth is not login. Part ini membangun mental model sistem auth React sebagai kombinasi identity, session, authorization, UI exposure control, dan server-side enforcement.
Authentication vs Authorization vs Identity
18 minMembedah perbedaan authentication, authorization, identity, account, principal, session, role, permission, scope, claim, dan tenant agar model auth React tidak ambigu.
React Auth Architecture Map
17 minPeta arsitektur React auth production-grade: boundary, component, data flow, trust model, dan lifecycle dari browser sampai policy engine.
Frontend Is Not the Enforcement Boundary
13 minMengapa frontend bukan enforcement boundary, bagaimana UI guard tetap berguna, dan bagaimana merancang server-side authorization yang tidak bisa dibypass lewat browser.
Browser Threat Model for React Auth
18 minThreat model browser untuk React authentication dan authorization: XSS, CSRF, storage, cookies, redirect, token leakage, extension risk, service worker, cache, dan trust boundary.
Auth System Invariants
16 minInvariant sistem auth untuk React apps: deny by default, no stale privilege, no trust in UI state, request-level enforcement, explicit token purpose, tenant isolation, auditability, and safe recovery.
Auth State Machine
15 minAuth state machine untuk React apps: dari anonymous, authenticating, authenticated, refreshing, expired, revoked, forbidden, degraded, sampai logout; lengkap dengan invariant, transition table, reducer, dan integrasi router.
Auth Failure Taxonomy
19 minTaxonomy kegagalan auth untuk React apps: login failure, session expiry, revocation, OAuth callback failure, permission denied, tenant mismatch, stale privilege, network degradation, dan security incidents.
Session Models for React Apps
17 minModel session untuk React apps: cookie session, bearer token session, BFF session, hybrid session, bootstrap, lifecycle, threat model, failure mode, dan decision boundary.
Token vs Cookie Decision Framework
10 minFramework keputusan token vs cookie untuk React apps: threat model, browser storage, CSRF/XSS trade-off, BFF, SSR, API topology, compliance, dan migration strategy.
LocalStorage, SessionStorage, Memory, Cookie
12 minDeep dive storage browser untuk React auth: localStorage, sessionStorage, memory, cookie, IndexedDB, Cache API, XSS/CSRF trade-off, persistence, multi-tab, dan decision framework.
HTTP-only Cookie Auth
9 minDesain HTTP-only cookie auth untuk React: server-side session, cookie attributes, SameSite, CSRF defense, bootstrap, logout, refresh, multi-tenant scope, BFF, dan failure model.
Bearer Token Auth in React
17 minBearer token auth in React, including access token semantics, in-memory storage, API client boundary, interceptor risks, XSS blast radius, token purpose, and production failure handling.
Refresh Token Rotation
15 minRefresh token rotation for React apps, including token family semantics, reuse detection, concurrent refresh races, multi-tab coordination, replay handling, server-side state, and production testing.
Token Expiry and Clock Skew
18 minToken expiry and clock skew for React apps, including expiry semantics, distributed clocks, proactive refresh, reactive recovery, retry safety, permission drift, cache invalidation, and production testing.
JWT vs Opaque Token
19 minJWT versus opaque tokens for React authentication and authorization architecture, including token format, validation, revocation, introspection, claim design, frontend misuse, BFF patterns, and decision trade-offs.
Client-side Token Decoding
10 minClient-side token decoding in React without confusing JWT claims with authority, including safe use cases, dangerous use cases, stale claims, claim trust boundaries, and production implementation patterns.
Cross-tab Session Coordination
7 minCross-tab session coordination for React authentication, including logout propagation, refresh locking, BroadcastChannel, storage events, stale session recovery, race conditions, and production-grade session event design.
Session Bootstrap
15 minSession bootstrap untuk React apps: /me, /session, silent restore, auth projection, splash state, cache safety, degraded state, loader integration, dan failure modelling.
Logout Is a Distributed System Problem
15 minLogout sebagai distributed systems problem: server revocation, cookie/token cleanup, IdP logout, multi-tab propagation, cache purge, service worker, back button, retries, dan incident-safe design.
OAuth/OIDC Mental Model
18 minOAuth/OIDC mental model untuk React engineers: aktor, trust boundary, token purpose, authorization server, resource server, relying party, IdP, browser role, dan kesalahan konsep yang sering merusak desain auth.
Authorization Code with PKCE
11 minAuthorization Code with PKCE untuk React/browser apps: redirect transaction, state, nonce, code verifier, code challenge, callback handler, token exchange, BFF vs pure SPA, failure modes, dan testing matrix.
Why Implicit Flow Is Legacy
11 minKenapa OAuth Implicit Flow adalah legacy untuk React/browser apps: front-channel token exposure, PKCE replacement, migration path, failure modes, testing, dan hardening callback.
ID Token, Access Token, Refresh Token
11 minPerbedaan ID Token, Access Token, dan Refresh Token untuk React engineers: purpose, audience, validation, storage, misuse, token confusion, BFF/SPAs, dan implementation contract.
Callback Route Hardening
10 minCallback route hardening untuk React/OIDC: state, nonce, PKCE transaction, redirect URI exactness, open redirect defense, callback parser, replay prevention, dan production checklist.
Login Redirect State Machine
8 minLogin redirect state machine untuk React apps: pre-login intent, return URL, transaction lifecycle, loop prevention, IdP errors, multi-tab coordination, tenant routing, and recovery semantics.
SSO and Enterprise Identity
10 minSSO dan enterprise identity dari perspektif React apps: SAML/OIDC federation, organization discovery, IdP routing, account linking, tenant binding, JIT provisioning, domain claim risk, logout boundary, and enterprise failure modes.
MFA and Step-up Authentication
7 minMFA dan step-up authentication untuk React apps: assurance level, sensitive-action challenge, re-authentication, risk-based prompts, WebAuthn/passkeys boundary, recovery UX, testing, and failure modelling.
Passkeys/WebAuthn for React Engineers
6 minPasskeys dan WebAuthn untuk React engineers: mental model, ceremony, server verification boundary, registration, authentication, UX, recovery, step-up, testing, dan failure modelling.
Auth Provider Integration Patterns
6 minAuth provider integration patterns untuk React apps: Auth0, Clerk, WorkOS, Cognito, Supabase/Firebase-style providers, hosted UI, SDK boundary, BFF, lock-in surface, authorization separation, migration, testing, and production readiness.
Protected Routes Are Not Enough
10 minWhy protected routes are not enough in React apps: render-time guards, data leaks before redirect, loader/action auth, frontend exposure control, backend enforcement, failure modes, testing, and migration to route/data authorization boundaries.
React Router Auth Architecture
8 minReact Router auth architecture across Declarative, Data, and Framework modes: route protection, loader/action auth, middleware, root session loading, route metadata, permission checks, revalidation, SSR/BFF boundaries, and decision matrix.
Loader-level Authentication
12 minLoader-level authentication for React Router Data and Framework modes: authenticate before render, prevent data flash, design root/session loaders, redirect safely, handle 401/403/degraded states, integrate BFF/session cookies, and test auth boundaries before route data is exposed.
Action-level Authorization
10 minAction-level authorization for React Router mutations: authenticate and authorize form submissions before write, protect server actions and client actions, handle CSRF, ownership, state transitions, idempotency, optimistic UI rollback, typed denial, and post-mutation revalidation.
Router Middleware Auth
8 minRouter middleware auth for React Router: session loading, typed auth context, route-wide policy plumbing, parent-child execution order, server vs client middleware, redirect strategy, error handling, observability, and why middleware is a reusable boundary but not the final authorization authority.
Return URL and Open Redirect Defense
8 minReturn URL and open redirect defense for React authentication flows: safe post-login intent, URL canonicalization, internal-only redirects, allowlists, OAuth callback safety, route-loader redirects, step-up return paths, tenant switching, redirect-loop prevention, and tests that catch phishing and exploit-chain risks.
Pending UI and Auth Race Conditions
8 minPending UI and auth race conditions in React Router apps: navigation state, loader/action concurrency, session refresh races, logout during pending work, tenant switches, auth epochs, stale response suppression, request cancellation, and safe UX for authenticated applications.
Auth Error Boundaries
7 minAuth error boundaries for React Router apps: typed 401/403/session-expired/step-up/tenant-mismatch failures, route-level recovery, nested error boundaries, secure denial UX, error sanitization, observability, and testing strategies.
Route Metadata Permissions
9 minRoute metadata permissions for React Router apps: handle-based permission metadata, route policy contracts, inherited policy, loader/action integration, menu derivation, static analysis, testing, and secure defaults.
Route-driven Layout Security
8 minRoute-driven layout security for React apps: nested layouts, sidebars, menus, breadcrumbs, command palettes, tabs, outlet context, no-data-flash rendering, cache cleanup, SSR considerations, and secure composition patterns.
Authorization Mental Model
14 minAuthorization mental model for React engineers: subject-action-resource-context, policy decision point, policy enforcement point, deny-by-default, decision contracts, permission projection, workflow authorization, tenant boundaries, cache invalidation, and testing strategy.
RBAC in React Apps
10 minRBAC in React apps: users, roles, permissions, sessions, tenant-scoped roles, role hierarchy, constraints, separation of duties, permission projection, UI exposure, route metadata, admin UX, cache invalidation, migration from role checks, and testing.
Permission-based UI
16 minPermission-based UI for React applications: capability contracts, can() primitives, deny-by-default rendering, allowed actions, route/menu/action exposure, async permission state, cache invalidation, testing, and anti-patterns.
ACL and Object-level Permission
14 minACL and object-level permission for React applications: per-resource authorization, ownership, grants, groups, inheritance, allowedActions, IDOR/BOLA defense, object pages, row actions, bulk operations, caching, audit, and testing.
ABAC for React Engineers
17 minABAC for React engineers: subject, resource, action, and environment attributes; policy decision contracts; frontend permission projection; attribute freshness; risk context; multi-tenant constraints; UI implications; testing; and failure modes.
ReBAC and Zanzibar-style Permissions
14 minReBAC and Zanzibar-style permissions for React engineers: relationship tuples, usersets, object graphs, inheritance, contextual tuples, consistency, permission checks, frontend projections, collaboration UX, caching, and failure modelling.
Policy as Data vs Policy as Code
10 minPolicy as Data vs Policy as Code for React engineers: authorization policy placement, hardcoded checks, permission tables, external policy engines, Cedar/Rego/OpenFGA-style models, versioning, testing, auditability, and frontend implications.
Frontend Permission Contract
6 minFrontend permission contract for React applications: stable action vocabulary, decision projection, allowed actions, denial reasons, constraints, obligations, field permissions, route metadata, cache invalidation, schema versioning, and contract testing.
Permission Cache Invalidation
10 minPermission cache invalidation for React applications: role changes, org switches, object grant updates, session refresh, stale privilege, permission epochs, event-driven invalidation, cache keys, cross-tab coordination, testing, and failure modes.
Deny-by-default React UI
7 minDeny-by-default React UI for authorization-aware applications: unknown permission state, safe rendering, permission boundaries, skeletons, hidden vs disabled controls, field-level denial, route layout policy, SSR/hydration, testing, and design-system integration.
Component Authorization Patterns
11 minComponent authorization patterns for React applications: conditional rendering, guard components, render props, hooks, HOCs, design-system wrappers, row actions, field-level authorization, policy projection, failure modes, and testing.
Designing useCan()
8 minDesigning a production-grade useCan hook for React authorization: API shape, decision states, synchronous and asynchronous permissions, resource identity, batching, cache invalidation, external stores, SSR, testing, and failure modes.
Permission-aware Design System
15 minBuilding a permission-aware design system for React applications: action components, menu items, forms, tables, bulk actions, empty states, accessibility, design tokens, authorization contracts, failure modes, and testing.
Forms and Field-level Permission
15 minDeep implementation guide for forms and field-level permission in React: editable/read-only/hidden/masked fields, server-projected field policies, validation versus authorization, patch semantics, workflow state, stale permission handling, and testing.
Table Row Action Authorization
15 minDeep implementation guide for table row action authorization in React: per-row allowed actions, bulk action eligibility, stale permission handling, denial reasons, optimistic UI, and server-side enforcement boundaries.
Navigation/Menu Permission
13 minDeep implementation guide for navigation and menu permission in React: sidebars, breadcrumbs, tabs, command palettes, direct URL access, route metadata, tenant-aware navigation, and deny-by-default menu projection.
Feature Flags vs Permissions
11 minDeep implementation guide for separating feature flags from permissions in React: release control vs access control, entitlement boundaries, flag evaluation, policy enforcement, migration, and failure modes.
Permission Reason and User Feedback
8 minDeep implementation guide for permission reason and user feedback in React: denial reasons, recovery paths, request access flows, safe error messaging, auditability, and UX-security trade-offs.
Admin Impersonation UI
10 minDeep implementation guide for admin impersonation UI in React: impersonation state, audit banner, constrained capability, safe support debugging, session isolation, tenant boundary, and abuse-resistant design.
Access Request Workflows
8 minDeep implementation guide for access request workflows in React: request access, approval chains, temporary grants, expiry, delegation, auditability, and production-grade permission recovery.
API Client Auth Boundary
8 minDeep implementation guide for designing an auth-aware API client boundary in React: request signing, token/cookie transport, refresh queues, retries, aborts, 401/403 semantics, CSRF, tenant context, and safe failure handling.
TanStack Query Auth Integration
10 minDeep implementation guide for integrating TanStack Query with React auth: session-scoped query keys, cache invalidation, logout cleanup, 401/403 retry semantics, AbortSignal, optimistic mutation rollback, permission projection, and SSR/persistence risks.
GraphQL Auth in React
8 minGraphQL auth in React: authentication transport, authorization at resolver/business boundary, partial data, field-level permission, cache isolation, and safe client UX.
REST BOLA/IDOR Defense from Frontend Perspective
9 minREST BOLA/IDOR defense from the frontend perspective: object identifiers, route params, API contracts, tenant scoping, safe UI assumptions, and server-side enforcement expectations.
File Upload/Download Authorization
13 minFile upload and download authorization for React apps: object permissions, signed URLs, upload intent, finalize flow, preview leaks, cache risks, and server-side enforcement.
WebSocket/SSE Auth
13 minWebSocket and Server-Sent Events auth for React apps: handshake authentication, channel authorization, cookie/token transport, reconnect, refresh, revocation, and stream-safe UI.
Background Jobs and Polling Auth
11 minBackground jobs and polling auth for React apps: visibility-aware polling, session expiry, logout cancellation, permission drift, tenant switch, refresh storms, and safe job status UX.
Cache Control for Authenticated UI
12 minCache-control for authenticated React UI: browser cache, CDN cache, bfcache, service worker, API responses, query cache, Clear-Site-Data, logout cleanup, and sensitive data containment.
Optimistic UI with Authorization
9 minOptimistic UI with authorization: provisional mutations, rollback, 401/403 semantics, permission drift, stale grants, idempotency, bulk action preview, and secure recovery in React data layers.
Offline and Degraded Auth
8 minOffline and degraded authentication/authorization in React: cached reads, queued writes, revalidation, degraded IdP/API states, service workers, permission TTL, conflict recovery, and secure sync.
SPA vs SSR vs BFF Auth
9 minSPA vs SSR vs BFF authentication architecture for React apps: trust boundaries, token exposure, session model, data loading, CSRF/XSS trade-offs, deployment constraints, and decision matrix.