ALL_SERIES
SERIES_OVERVIEW // CURRICULUM_MAP

Learn React Authentication, Authorization, Identity & Permission/ACL

// Auth is not login. Part ini membangun mental model sistem auth React sebagai kombinasi identity, session, authorization, UI exposure control, dan server-side enforcement.

130 Lessons1572 Min Total04 Phases

This overview is designed to help you choose the right entry point quickly. Follow the full track from lesson one, continue from your last checkpoint, or jump straight into a phase that matches what you need right now.

401403abacabuse-preventionaccess-control+267 more

Curriculum Map

Navigate by phase, then choose the lesson that matches your current depth.

01

Auth Is Not Login

20 min

Auth is not login. Part ini membangun mental model sistem auth React sebagai kombinasi identity, session, authorization, UI exposure control, dan server-side enforcement.

02

Authentication vs Authorization vs Identity

18 min

Membedah perbedaan authentication, authorization, identity, account, principal, session, role, permission, scope, claim, dan tenant agar model auth React tidak ambigu.

03

React Auth Architecture Map

17 min

Peta arsitektur React auth production-grade: boundary, component, data flow, trust model, dan lifecycle dari browser sampai policy engine.

04

Frontend Is Not the Enforcement Boundary

13 min

Mengapa frontend bukan enforcement boundary, bagaimana UI guard tetap berguna, dan bagaimana merancang server-side authorization yang tidak bisa dibypass lewat browser.

05

Browser Threat Model for React Auth

18 min

Threat model browser untuk React authentication dan authorization: XSS, CSRF, storage, cookies, redirect, token leakage, extension risk, service worker, cache, dan trust boundary.

06

Auth System Invariants

16 min

Invariant sistem auth untuk React apps: deny by default, no stale privilege, no trust in UI state, request-level enforcement, explicit token purpose, tenant isolation, auditability, and safe recovery.

07

Auth State Machine

15 min

Auth state machine untuk React apps: dari anonymous, authenticating, authenticated, refreshing, expired, revoked, forbidden, degraded, sampai logout; lengkap dengan invariant, transition table, reducer, dan integrasi router.

08

Auth Failure Taxonomy

19 min

Taxonomy kegagalan auth untuk React apps: login failure, session expiry, revocation, OAuth callback failure, permission denied, tenant mismatch, stale privilege, network degradation, dan security incidents.

09

Session Models for React Apps

17 min

Model session untuk React apps: cookie session, bearer token session, BFF session, hybrid session, bootstrap, lifecycle, threat model, failure mode, dan decision boundary.

10

Token vs Cookie Decision Framework

10 min

Framework keputusan token vs cookie untuk React apps: threat model, browser storage, CSRF/XSS trade-off, BFF, SSR, API topology, compliance, dan migration strategy.

11

LocalStorage, SessionStorage, Memory, Cookie

12 min

Deep dive storage browser untuk React auth: localStorage, sessionStorage, memory, cookie, IndexedDB, Cache API, XSS/CSRF trade-off, persistence, multi-tab, dan decision framework.

12

HTTP-only Cookie Auth

9 min

Desain HTTP-only cookie auth untuk React: server-side session, cookie attributes, SameSite, CSRF defense, bootstrap, logout, refresh, multi-tenant scope, BFF, dan failure model.

13

Bearer Token Auth in React

17 min

Bearer token auth in React, including access token semantics, in-memory storage, API client boundary, interceptor risks, XSS blast radius, token purpose, and production failure handling.

14

Refresh Token Rotation

15 min

Refresh token rotation for React apps, including token family semantics, reuse detection, concurrent refresh races, multi-tab coordination, replay handling, server-side state, and production testing.

15

Token Expiry and Clock Skew

18 min

Token expiry and clock skew for React apps, including expiry semantics, distributed clocks, proactive refresh, reactive recovery, retry safety, permission drift, cache invalidation, and production testing.

16

JWT vs Opaque Token

19 min

JWT versus opaque tokens for React authentication and authorization architecture, including token format, validation, revocation, introspection, claim design, frontend misuse, BFF patterns, and decision trade-offs.

17

Client-side Token Decoding

10 min

Client-side token decoding in React without confusing JWT claims with authority, including safe use cases, dangerous use cases, stale claims, claim trust boundaries, and production implementation patterns.

18

Cross-tab Session Coordination

7 min

Cross-tab session coordination for React authentication, including logout propagation, refresh locking, BroadcastChannel, storage events, stale session recovery, race conditions, and production-grade session event design.

19

Session Bootstrap

15 min

Session bootstrap untuk React apps: /me, /session, silent restore, auth projection, splash state, cache safety, degraded state, loader integration, dan failure modelling.

20

Logout Is a Distributed System Problem

15 min

Logout sebagai distributed systems problem: server revocation, cookie/token cleanup, IdP logout, multi-tab propagation, cache purge, service worker, back button, retries, dan incident-safe design.

21

OAuth/OIDC Mental Model

18 min

OAuth/OIDC mental model untuk React engineers: aktor, trust boundary, token purpose, authorization server, resource server, relying party, IdP, browser role, dan kesalahan konsep yang sering merusak desain auth.

22

Authorization Code with PKCE

11 min

Authorization Code with PKCE untuk React/browser apps: redirect transaction, state, nonce, code verifier, code challenge, callback handler, token exchange, BFF vs pure SPA, failure modes, dan testing matrix.

23

Why Implicit Flow Is Legacy

11 min

Kenapa OAuth Implicit Flow adalah legacy untuk React/browser apps: front-channel token exposure, PKCE replacement, migration path, failure modes, testing, dan hardening callback.

24

ID Token, Access Token, Refresh Token

11 min

Perbedaan ID Token, Access Token, dan Refresh Token untuk React engineers: purpose, audience, validation, storage, misuse, token confusion, BFF/SPAs, dan implementation contract.

25

Callback Route Hardening

10 min

Callback route hardening untuk React/OIDC: state, nonce, PKCE transaction, redirect URI exactness, open redirect defense, callback parser, replay prevention, dan production checklist.

26

Login Redirect State Machine

8 min

Login redirect state machine untuk React apps: pre-login intent, return URL, transaction lifecycle, loop prevention, IdP errors, multi-tab coordination, tenant routing, and recovery semantics.

27

SSO and Enterprise Identity

10 min

SSO dan enterprise identity dari perspektif React apps: SAML/OIDC federation, organization discovery, IdP routing, account linking, tenant binding, JIT provisioning, domain claim risk, logout boundary, and enterprise failure modes.

28

MFA and Step-up Authentication

7 min

MFA dan step-up authentication untuk React apps: assurance level, sensitive-action challenge, re-authentication, risk-based prompts, WebAuthn/passkeys boundary, recovery UX, testing, and failure modelling.

29

Passkeys/WebAuthn for React Engineers

6 min

Passkeys dan WebAuthn untuk React engineers: mental model, ceremony, server verification boundary, registration, authentication, UX, recovery, step-up, testing, dan failure modelling.

30

Auth Provider Integration Patterns

6 min

Auth provider integration patterns untuk React apps: Auth0, Clerk, WorkOS, Cognito, Supabase/Firebase-style providers, hosted UI, SDK boundary, BFF, lock-in surface, authorization separation, migration, testing, and production readiness.

31

Protected Routes Are Not Enough

10 min

Why protected routes are not enough in React apps: render-time guards, data leaks before redirect, loader/action auth, frontend exposure control, backend enforcement, failure modes, testing, and migration to route/data authorization boundaries.

32

React Router Auth Architecture

8 min

React Router auth architecture across Declarative, Data, and Framework modes: route protection, loader/action auth, middleware, root session loading, route metadata, permission checks, revalidation, SSR/BFF boundaries, and decision matrix.

33

Loader-level Authentication

12 min

Loader-level authentication for React Router Data and Framework modes: authenticate before render, prevent data flash, design root/session loaders, redirect safely, handle 401/403/degraded states, integrate BFF/session cookies, and test auth boundaries before route data is exposed.

34

Action-level Authorization

10 min

Action-level authorization for React Router mutations: authenticate and authorize form submissions before write, protect server actions and client actions, handle CSRF, ownership, state transitions, idempotency, optimistic UI rollback, typed denial, and post-mutation revalidation.

35

Router Middleware Auth

8 min

Router middleware auth for React Router: session loading, typed auth context, route-wide policy plumbing, parent-child execution order, server vs client middleware, redirect strategy, error handling, observability, and why middleware is a reusable boundary but not the final authorization authority.

36

Return URL and Open Redirect Defense

8 min

Return URL and open redirect defense for React authentication flows: safe post-login intent, URL canonicalization, internal-only redirects, allowlists, OAuth callback safety, route-loader redirects, step-up return paths, tenant switching, redirect-loop prevention, and tests that catch phishing and exploit-chain risks.

37

Pending UI and Auth Race Conditions

8 min

Pending UI and auth race conditions in React Router apps: navigation state, loader/action concurrency, session refresh races, logout during pending work, tenant switches, auth epochs, stale response suppression, request cancellation, and safe UX for authenticated applications.

38

Auth Error Boundaries

7 min

Auth error boundaries for React Router apps: typed 401/403/session-expired/step-up/tenant-mismatch failures, route-level recovery, nested error boundaries, secure denial UX, error sanitization, observability, and testing strategies.

39

Route Metadata Permissions

9 min

Route metadata permissions for React Router apps: handle-based permission metadata, route policy contracts, inherited policy, loader/action integration, menu derivation, static analysis, testing, and secure defaults.

40

Route-driven Layout Security

8 min

Route-driven layout security for React apps: nested layouts, sidebars, menus, breadcrumbs, command palettes, tabs, outlet context, no-data-flash rendering, cache cleanup, SSR considerations, and secure composition patterns.

41

Authorization Mental Model

14 min

Authorization mental model for React engineers: subject-action-resource-context, policy decision point, policy enforcement point, deny-by-default, decision contracts, permission projection, workflow authorization, tenant boundaries, cache invalidation, and testing strategy.

42

RBAC in React Apps

10 min

RBAC in React apps: users, roles, permissions, sessions, tenant-scoped roles, role hierarchy, constraints, separation of duties, permission projection, UI exposure, route metadata, admin UX, cache invalidation, migration from role checks, and testing.

43

Permission-based UI

16 min

Permission-based UI for React applications: capability contracts, can() primitives, deny-by-default rendering, allowed actions, route/menu/action exposure, async permission state, cache invalidation, testing, and anti-patterns.

44

ACL and Object-level Permission

14 min

ACL and object-level permission for React applications: per-resource authorization, ownership, grants, groups, inheritance, allowedActions, IDOR/BOLA defense, object pages, row actions, bulk operations, caching, audit, and testing.

45

ABAC for React Engineers

17 min

ABAC for React engineers: subject, resource, action, and environment attributes; policy decision contracts; frontend permission projection; attribute freshness; risk context; multi-tenant constraints; UI implications; testing; and failure modes.

46

ReBAC and Zanzibar-style Permissions

14 min

ReBAC and Zanzibar-style permissions for React engineers: relationship tuples, usersets, object graphs, inheritance, contextual tuples, consistency, permission checks, frontend projections, collaboration UX, caching, and failure modelling.

47

Policy as Data vs Policy as Code

10 min

Policy as Data vs Policy as Code for React engineers: authorization policy placement, hardcoded checks, permission tables, external policy engines, Cedar/Rego/OpenFGA-style models, versioning, testing, auditability, and frontend implications.

48

Frontend Permission Contract

6 min

Frontend permission contract for React applications: stable action vocabulary, decision projection, allowed actions, denial reasons, constraints, obligations, field permissions, route metadata, cache invalidation, schema versioning, and contract testing.

49

Permission Cache Invalidation

10 min

Permission cache invalidation for React applications: role changes, org switches, object grant updates, session refresh, stale privilege, permission epochs, event-driven invalidation, cache keys, cross-tab coordination, testing, and failure modes.

50

Deny-by-default React UI

7 min

Deny-by-default React UI for authorization-aware applications: unknown permission state, safe rendering, permission boundaries, skeletons, hidden vs disabled controls, field-level denial, route layout policy, SSR/hydration, testing, and design-system integration.

51

Component Authorization Patterns

11 min

Component authorization patterns for React applications: conditional rendering, guard components, render props, hooks, HOCs, design-system wrappers, row actions, field-level authorization, policy projection, failure modes, and testing.

52

Designing useCan()

8 min

Designing a production-grade useCan hook for React authorization: API shape, decision states, synchronous and asynchronous permissions, resource identity, batching, cache invalidation, external stores, SSR, testing, and failure modes.

53

Permission-aware Design System

15 min

Building a permission-aware design system for React applications: action components, menu items, forms, tables, bulk actions, empty states, accessibility, design tokens, authorization contracts, failure modes, and testing.

54

Forms and Field-level Permission

15 min

Deep implementation guide for forms and field-level permission in React: editable/read-only/hidden/masked fields, server-projected field policies, validation versus authorization, patch semantics, workflow state, stale permission handling, and testing.

55

Table Row Action Authorization

15 min

Deep implementation guide for table row action authorization in React: per-row allowed actions, bulk action eligibility, stale permission handling, denial reasons, optimistic UI, and server-side enforcement boundaries.

56

Navigation/Menu Permission

13 min

Deep implementation guide for navigation and menu permission in React: sidebars, breadcrumbs, tabs, command palettes, direct URL access, route metadata, tenant-aware navigation, and deny-by-default menu projection.

57

Feature Flags vs Permissions

11 min

Deep implementation guide for separating feature flags from permissions in React: release control vs access control, entitlement boundaries, flag evaluation, policy enforcement, migration, and failure modes.

58

Permission Reason and User Feedback

8 min

Deep implementation guide for permission reason and user feedback in React: denial reasons, recovery paths, request access flows, safe error messaging, auditability, and UX-security trade-offs.

59

Admin Impersonation UI

10 min

Deep implementation guide for admin impersonation UI in React: impersonation state, audit banner, constrained capability, safe support debugging, session isolation, tenant boundary, and abuse-resistant design.

60

Access Request Workflows

8 min

Deep implementation guide for access request workflows in React: request access, approval chains, temporary grants, expiry, delegation, auditability, and production-grade permission recovery.

61

API Client Auth Boundary

8 min

Deep implementation guide for designing an auth-aware API client boundary in React: request signing, token/cookie transport, refresh queues, retries, aborts, 401/403 semantics, CSRF, tenant context, and safe failure handling.

62

TanStack Query Auth Integration

10 min

Deep implementation guide for integrating TanStack Query with React auth: session-scoped query keys, cache invalidation, logout cleanup, 401/403 retry semantics, AbortSignal, optimistic mutation rollback, permission projection, and SSR/persistence risks.

63

GraphQL Auth in React

8 min

GraphQL auth in React: authentication transport, authorization at resolver/business boundary, partial data, field-level permission, cache isolation, and safe client UX.

64

REST BOLA/IDOR Defense from Frontend Perspective

9 min

REST BOLA/IDOR defense from the frontend perspective: object identifiers, route params, API contracts, tenant scoping, safe UI assumptions, and server-side enforcement expectations.

65

File Upload/Download Authorization

13 min

File upload and download authorization for React apps: object permissions, signed URLs, upload intent, finalize flow, preview leaks, cache risks, and server-side enforcement.

66

WebSocket/SSE Auth

13 min

WebSocket and Server-Sent Events auth for React apps: handshake authentication, channel authorization, cookie/token transport, reconnect, refresh, revocation, and stream-safe UI.

67

Background Jobs and Polling Auth

11 min

Background jobs and polling auth for React apps: visibility-aware polling, session expiry, logout cancellation, permission drift, tenant switch, refresh storms, and safe job status UX.

68

Cache Control for Authenticated UI

12 min

Cache-control for authenticated React UI: browser cache, CDN cache, bfcache, service worker, API responses, query cache, Clear-Site-Data, logout cleanup, and sensitive data containment.

69

Optimistic UI with Authorization

9 min

Optimistic UI with authorization: provisional mutations, rollback, 401/403 semantics, permission drift, stale grants, idempotency, bulk action preview, and secure recovery in React data layers.

70

Offline and Degraded Auth

8 min

Offline and degraded authentication/authorization in React: cached reads, queued writes, revalidation, degraded IdP/API states, service workers, permission TTL, conflict recovery, and secure sync.

71

SPA vs SSR vs BFF Auth

9 min

SPA vs SSR vs BFF authentication architecture for React apps: trust boundaries, token exposure, session model, data loading, CSRF/XSS trade-offs, deployment constraints, and decision matrix.