For an overview of the security, please check Features > Security.

This section will explain in detail the implementations of security on ScaffoldHub.

All the security files must be replicated on both frontend and backend.

  • frontend/src/security

  • backend/src/security

Frontend security is just for the application not to show what users are not allowed to do and can be easily hacked because frontend files are just HTML, CSS, and Javascript. Real security happens on the backend.


Every action a user can perform on the application has a related permission.

  • allowedRoles: The user roles that contain that permission.

  • allowedPlans: The plans that contain that permission.

  • allowedStorage: The file storage folders that permission can access.

Backend Authentication

When the user signs-in, he receives a secure JWT token.

The frontend then sends this token on each request via the Authorization header.

Using an authentication middleware, the backend validates this token, fetches the current user, and assigs him to the request.

Backend Permission

Each endpoint validates if the user has the permission to access that resource.

Some endpoints, like sign-in and sign-up, do not require the user to be authenticated, and for those cases, it just doesn't validate the presence of the user on the request.

Frontend Permission

Menus have their permission assigned to them and are only shown if the user contains a role that contains that permission.


Action buttons also have validations to check if the user has permission.

Last updated