Skip to main content

Authentication & Authorization

Bike4Mind implements a robust, extensible authentication and fine-grained authorization system designed to meet enterprise security and compliance needs.

Authentication

Multi-Strategy OAuth Integration The platform supports several OAuth 2.0 strategies for seamless integration with common identity providers:

  • Google
  • GitHub
  • Okta (SAML/OIDC, enterprise-ready)

These strategies enable organizations to integrate their existing identity platforms without custom development.

JWT-Based Session Management Authentication is managed through stateless JSON Web Tokens (JWTs):

  • Access tokens are short-lived and passed via the Authorization header for authenticated API access.
  • Refresh tokens extend sessions without requiring re-authentication and are stored securely on the client.
  • Tokens are signed with secret keys and validated server-side using strict expiration and signature checks.
  • Session information is auditable via administrative tools for compliance and security review.

Middleware-Based Flow Authentication and authorization logic is centrally handled through a shared baseApi() middleware wrapper. This ensures:

  • Database connection setup
  • Authentication and user identity extraction from JWT
  • Permission system instantiation (req.ability)
  • Unified logging and error handling for API routes

Authorization

CASL-Based Permission Framework Bike4Mind uses CASL (Code Access Security Layer), a powerful and flexible authorization library that allows for declarative and context-aware permissions. For every request:

  • A user’s permissions (or "abilities") are generated dynamically.

  • Permissions are enforced through the pattern:

    req.ability.can(action, subject)

Permission Scope Patterns The system supports multiple levels of access control:

  1. Owner Permissions Users may perform actions only on resources they created or own.

    can('update', 'Notebook', { userId: user.id })

  2. Shared Access Resources can be shared directly with other users, including specific permissions.

    can('read', 'File', { 'sharedWith.userId': user.id })

  3. Group-Based Permissions Users can inherit permissions through membership in organizational or project groups.

    can('update', 'Prompt', { groupId: { $in: user.groups } })

  4. Global or Public Access Certain resources (e.g. templates or examples) may be marked as globally accessible.

    can('read', 'Prompt', { isGlobal: true })

Role Definitions Bike4Mind uses a role-based access system to further structure platform permissions:

  • Admin – unrestricted platform-wide access
  • Org Admin – scoped administrative privileges for a specific organization
  • Team Member – access to personal and team-shared resources
  • Guest – limited, often read-only access

These roles are enforced consistently across the platform via CASL and respected by both front-end and API layers.