AI Chatbot with Role-Based Access Using Permit.io + Gemini (TIU ImpactHub Bot)

#devchallenge #permitchallenge

🌟 Project Overview

This project is a university-focused chatbot built for the TIU Impact Hub — a student-led innovation and leadership community at Tokyo International University in Japan.

The chatbot is powered by Gemini AI, and integrates Permit.io to protect sensitive actions (like mass emailing) through fine-grained, externalized access control.

🔐 Why Permit.io?

Instead of hardcoding logic like if user.role === 'admin', I used Permit.io for:

✅ Role-based access (admin vs visitor)
✅ Externalized policy enforcement
✅ A future-ready structure for more scalable AI commands (e.g., Discord posting, Slack messages)

💻 Live App or Local Testing Instructions

This app currently runs locally (not yet deployed). You can easily test it with:

Backend

cd server
npm install
node server.js

** Frontend**

cd client
npm install
npm run dev

Test Accounts
Please use the following credentials for testing:
Admin

userId: admin
role: admin
password: 2025DEVChallenge

Visitor

userId: newuser
role: visitor
password: 2025DEVChallenge

These values are passed to the backend in the request body and evaluated by Permit.io to allow or block AI actions.

AI Features
Gemini AI chatbot: Responds only to TIU-related questions

/send_email command: Sends emails to all members — admin-only

Visitors are politely denied if they try restricted actions

Key Code Samples
Access Control Enforcement

const isAllowed = await checkPermission(userId, "send_email_to_members", role);
if (!isAllowed) {
  return res.json({ reply: "❌ You are not allowed to send emails." });
}

Gemini Prompt Injection

const systemPrompt = `
You are the official chatbot of TIU Impact Hub, a student-led innovation community...
Only answer questions related to TIU Impact Hub. Refuse politely otherwise.
`;

🔗 GitHub Repo
🔗 https://github.com/Coderanger08/TIUIH_chatbot.git

** Reflection**
Using Permit.io made it so easy to manage access control. It’s clean, centralized, and scalable — especially for future plans like posting to Discord or creating AI dashboards with more roles (mentor, manager, etc.).

No more spaghetti-role-checks in code — just clean policy logic.

Final Thoughts
Thanks to the Permit.io team and DEV for this opportunity!
I had fun building this and learned how to combine: