Permission Validation Middleware - Meander Platform

Service Layer high complexity Shared Component backend

Dependencies

Dependents

Entities

Integrations

Description

Next.js middleware that runs on every protected API route (`/api/v1/...`) to validate the JWT access token and enforce role-based access at the backend. Extracts the role and organisation ID claims from the token and rejects requests that lack the required role for the requested endpoint. Ensures that mobile app UI enforcement is backed by server-side validation.

Feature: Role-Based Access Control

permission-validation-middleware

Responsibilities

Intercept all requests to protected API routes before handler execution
Verify JWT signature and expiry
Extract role and organisation ID claims from the verified token
Reject requests with HTTP 403 when the role is insufficient for the endpoint
Enforce tenant isolation by validating the organisation ID matches the requested resource scope

Interfaces

middleware(request: NextRequest) -> NextResponse

extractClaims(token: string) -> JwtClaims

requireRole(roles: UserRole[]) -> MiddlewareHandler

requireOrgAccess(orgId: string) -> MiddlewareHandler

verifyToken(token: string) -> JwtClaims | null

Relationships

Dependencies (1)

Components this component depends on

infrastructure JWT Claims Extractor Shared

Related Data Entities (18)

Data entities managed by this component

Activity 26 fields core Activity Approval 19 fields core Assignment 21 fields core Assignment Threshold Config 15 fields configuration Contact 22 fields core Contact Caregiver 14 fields core Event 19 fields core Event Registration 13 fields core Expense 23 fields core Expense Approval 13 fields core Feature Flag 8 fields configuration Note 16 fields core Organization 17 fields core Referral Link 10 fields core Session 16 fields core User 21 fields core User Role 11 fields configuration User Role Assignment 11 fields core