TL;DR
Authorization determines what a user can do after they've logged in. While authentication asks "Who are you?", authorization asks "What are you allowed to do?" It's checking permissions before every action: Can this user delete that post? Can they view this dashboard? Can they access another user's data? Broken authorization is the #1 cause of data breaches in web apps.
The Simple Explanation
Imagine a hotel. Authentication is the front desk checking your ID and giving you a room key. Authorization is the key only working on YOUR room door, not every room in the hotel.
In your app, authorization happens when:
- A user tries to view their own profile (allowed) vs someone else's private profile (denied)
- An admin accesses the admin dashboard (allowed) but a regular user cannot (denied)
- A free user tries to access premium features (denied until upgraded)
Why Authorization Matters
Broken access control is the #1 vulnerability in the OWASP Top 10 (2021). It's responsible for more data breaches than any other issue.
Common mistake: Checking if a user is logged in, but not checking if they have permission to do what they're trying to do. Being authenticated doesn't mean being authorized.
Authorization Patterns
Role-Based Access Control (RBAC)
Users are assigned roles, and roles have permissions. Most apps use this approach.
- Viewer: Can view posts
- Editor: Can view and edit posts
- Admin: Can view, edit, delete posts and manage users
Attribute-Based Access Control (ABAC)
Permissions based on attributes of the user, resource, and context. More flexible but more complex.
- "Users can edit posts they created"
- "Managers can approve requests from their department"
- "Premium users can access content if their subscription is active"
Row Level Security (RLS)
Database-enforced authorization. The database itself filters which rows each user can see. Supabase uses this heavily. Even if your app code has bugs, the database protects user data.
Authorization Best Practices
- Default deny: Start with no access, explicitly grant permissions
- Check on every request: Don't assume prior checks still apply
- Use middleware: Centralize authorization logic, don't copy-paste
- Defense in depth: Check in your app AND in your database (RLS)
- Log access: Track who accessed what for audit purposes
What is the difference between authentication and authorization?
Authentication verifies WHO you are (identity verification through login). Authorization determines WHAT you can do (permission checking). Authentication happens once at login, while authorization checks happen on every action or resource access.
What is RBAC (Role-Based Access Control)?
RBAC assigns permissions to roles rather than individual users. Users are assigned roles like "admin", "editor", or "viewer", and each role has specific permissions. This makes managing access easier as your user base grows.
What is Row Level Security (RLS)?
RLS is database-level authorization that controls which rows each user can access. Instead of filtering data in your app code, the database itself enforces access rules. Supabase uses RLS extensively. It ensures users only see their own data even if your app code has bugs.