The latest articles on DEV Community by Sushant Rahate (@sushantrahate). https://dev.to/sushantrahate https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F105767%2F5d2b75f1-01c7-4a8f-ab39-8587b5c70b04.png https://dev.to/sushantrahate en Sushant Rahate Sun, 19 Apr 2026 18:52:20 +0000 https://dev.to/sushantrahate/what-did-earth-look-like-when-you-were-born-i-built-it-to-find-out-3i8i https://dev.to/sushantrahate/what-did-earth-look-like-when-you-were-born-i-built-it-to-find-out-3i8i <h2> 🌍 I Built a Climate Time Machine That Makes CO₂ Data Feel Personal </h2> <p><em>This is a submission for <a href="https://dev.to/challenges/weekend-2026-04-16">Weekend Challenge: Earth Day Edition</a></em></p> <p>The problem with climate data is that it's abstract. "+1.25°C" doesn't land. "427 ppm CO₂" doesn't hurt. Numbers don't move people — stories do.</p> <p>So I asked a different question: <strong>what if you could see exactly what the planet looked like the year you were born?</strong></p> <p>That's Earth Time Machine. Enter your birth year. Feel what changed.</p> <h2> What I Built </h2> <p><strong>Earth Time Machine</strong> is an interactive climate data experience that makes global warming feel personally relevant by anchoring every metric to your birth year.</p> <h3> The core idea </h3> <p>Instead of showing abstract global averages, it asks: <em>what was CO₂ when you were born? How much Arctic ice existed? How many more people share this planet now?</em> Every number becomes a story about your lifetime.</p> <h3> Features </h3> <ul> <li><p>🌐 <strong>Animated 3D globe</strong> in the hero — hand-coded in Canvas 2D, no WebGL library. The globe visibly browns and cracks based on the CO₂ rise since your birth year. Born in 1960? Healthy green oceans. 2008? Noticeably warmer.</p></li> <li><p>💨 <strong>CO₂ breathing animation</strong> — the number counts up from zero to your lifetime rise, then locks and pulses gently like Earth exhaling. No looping. It arrives and stays.</p></li> <li><p>📊 <strong>6 planetary vital sign cards</strong> — CO₂, temperature, Arctic sea ice, forest cover, population, sea level. Each has a sparkline, animated thermometers, comparison bars, and a "sting" — a one-line gut-punch fact that reveals after you've absorbed the numbers.</p></li> <li><p>🌍 <strong>20-country local data</strong> — select your country and see local warming vs world average, per-capita CO₂ then vs now, and your country's climate risk tier. India's local warming hits differently than Canada's.</p></li> <li><p>🔮 <strong>4 IPCC scenario projections to 2100</strong> — actual path, Paris 1.5°C, moderate action, worst case. Canvas-drawn chart showing where each path leads. Interactive tabs with verdicts.</p></li> <li><p>🌿 <strong>Paris Path toggle</strong> — overlays what values <em>should</em> be if the Paris Agreement was met. The gap is sobering.</p></li> <li><p>🎮 <strong>Generational compare mode</strong> — enter two birth years, see the CO₂ absorbed between them, the temperature difference, the ice lost. Perfect for showing a parent vs child what Earth each of them inherited.</p></li> <li><p>🎯 <strong>Climate knowledge quiz</strong> — 4 randomised questions from a pool of 8. Immediate feedback, score bar, explanations. Keeps people engaged after the data shock.</p></li> <li><p>🔊 <strong>Ambient sound</strong> — two sine-wave oscillators through the Web Audio API. As you drag the year scrubber, the pitch shifts — deeper in early decades, eerier as CO₂ rises. Subtle but effective.</p></li> <li><p>📥 <strong>Download your Earth Identity Card</strong> as PNG via html2canvas. Share your personal climate report on social media.</p></li> <li><p>🌐 <strong>Live CO₂ clock</strong> in the sticky toolbar — ticks upward in real time at the actual rate (2.4 ppm/year). Watch it move.</p></li> </ul> <h2> Demo </h2> <p>🔗 <strong><a href="https://earth-time-machine.vercel.app/" rel="noopener noreferrer">https://earth-time-machine.vercel.app/</a></strong></p> <p>Try entering:</p> <ul> <li> <strong>1960</strong> — see a relatively healthy planet, then watch how much changed</li> <li> <strong>1990</strong> — the year of the Earth Summit, Rio. CO₂ was already rising fast</li> <li> <strong>2005</strong> — the year Arctic ice hit a then-record low</li> </ul> <blockquote> <p>Drag the year scrubber slowly from 1950 to 2026. Watch the CO₂ pill change. Listen to the drone shift. Find 2007 — the year the Arctic shattered its record.</p> </blockquote> <h2> Code </h2> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/sushantrahate" rel="noopener noreferrer"> sushantrahate </a> / <a href="https://github.com/sushantrahate/earth-time-machine" rel="noopener noreferrer"> earth-time-machine </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">🌍 Earth Time Machine</h1> </div> <blockquote> <p>What did Earth look like when you were born?</p> </blockquote> <p>Enter your birth year and see exactly how the planet changed in your lifetime — CO₂ levels, temperature rise, Arctic ice loss, forest cover, sea level rise, and more. Every number anchored to your life, not abstract history.</p> <p><strong>Live:</strong> <a href="https://earth-time-machine.vercel.app/" rel="nofollow noopener noreferrer">https://earth-time-machine.vercel.app/</a></p> <p><strong>Article:</strong> <a href="https://dev.to/sushantrahate/what-did-earth-look-like-when-you-were-born-i-built-it-to-find-out-3i8i" rel="nofollow">https://dev.to/sushantrahate/what-did-earth-look-like-when-you-were-born-i-built-it-to-find-out-3i8i</a></p> <div class="markdown-heading"> <h2 class="heading-element">Built With</h2> </div> <ul> <li>React 19 + Vite 6</li> <li>Tailwind CSS v4</li> <li>Canvas 2D API (globe + charts)</li> <li>Web Audio API (ambient sound)</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Run Locally</h2> </div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>git clone https://github.com/sushantrahate/earth-time-machine.git <span class="pl-c1">cd</span> earth-time-machine npm install npm run dev</pre> </div> <div class="markdown-heading"> <h2 class="heading-element">Submission</h2> </div> <p>Built for the <a href="https://dev.to/challenges/weekend-2026-04-16" rel="nofollow">DEV Weekend Challenge: Earth Day Edition 2026</a>.</p> </div> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/sushantrahate/earth-time-machine" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> <p>Built with:</p> <ul> <li><strong>React 19 + Vite 6</strong></li> <li> <strong>Tailwind CSS v4</strong> (single <code>@import "tailwindcss"</code> — no config file)</li> <li> <strong>Canvas 2D</strong> for the globe and all charts (no chart library)</li> <li> <strong>Web Audio API</strong> for ambient sound</li> <li> <strong>html2canvas</strong> for PNG card export</li> </ul> <p>Zero external data dependencies. All climate datasets (CO₂, TEMP, ICE, POP, FOREST, SEA) are bundled from NOAA, NASA GISTEMP, NSIDC, FAO, and UN World Population Prospects.</p> <h2> How I Built It </h2> <h3> The globe </h3> <p>The hardest part was making the hero globe look like Earth — not a red blob, not random ellipses.</p> <p>The breakthrough was switching from <code>position: absolute</code> painted ellipses to actual <strong>spherical projection math</strong>. Each continent is defined as a series of <code>[lat, lon]</code> pairs. A <code>project(lat, lon, t)</code> function maps them onto the 2D canvas using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">project</span><span class="p">(</span><span class="nx">lat</span><span class="p">,</span> <span class="nx">lon</span><span class="p">,</span> <span class="nx">t</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">phi</span> <span class="o">=</span> <span class="p">(</span><span class="nx">lat</span> <span class="o">*</span> <span class="nb">Math</span><span class="p">.</span><span class="nx">PI</span><span class="p">)</span> <span class="o">/</span> <span class="mi">180</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">lam</span> <span class="o">=</span> <span class="p">(</span><span class="nx">lon</span> <span class="o">*</span> <span class="nb">Math</span><span class="p">.</span><span class="nx">PI</span><span class="p">)</span> <span class="o">/</span> <span class="mi">180</span> <span class="o">+</span> <span class="nx">t</span> <span class="o">*</span> <span class="mf">0.35</span><span class="p">;</span> <span class="c1">// t = spin time</span> <span class="kd">const</span> <span class="nx">cosLat</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">cos</span><span class="p">(</span><span class="nx">phi</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">x3d</span> <span class="o">=</span> <span class="nx">cosLat</span> <span class="o">*</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">sin</span><span class="p">(</span><span class="nx">lam</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">y3d</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">sin</span><span class="p">(</span><span class="nx">phi</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">z3d</span> <span class="o">=</span> <span class="nx">cosLat</span> <span class="o">*</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">cos</span><span class="p">(</span><span class="nx">lam</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">z3d</span> <span class="o">&lt;</span> <span class="o">-</span><span class="mf">0.05</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// back-face cull</span> <span class="k">return</span> <span class="p">[</span><span class="nx">cx</span> <span class="o">+</span> <span class="nx">x3d</span> <span class="o">*</span> <span class="nx">r</span><span class="p">,</span> <span class="nx">cy</span> <span class="o">-</span> <span class="nx">y3d</span> <span class="o">*</span> <span class="nx">r</span><span class="p">];</span> <span class="p">}</span> </code></pre> </div> <p>Back-face culling (<code>z3d &lt; -0.05</code>) means continents on the far side of the globe simply don't draw. The spin is smooth because <code>t</code> increments 0.008 per frame via <code>requestAnimationFrame</code>.</p> <p>The heat factor maps CO₂ rise since your birth year onto a <code>0 → 0.58</code> value that shifts:</p> <ul> <li>Ocean colour (vivid blue → murky)</li> <li>Land colour (forest green → reddish-brown)</li> <li>Ice cap size (large → tiny)</li> <li>Atmosphere halo (blue-cyan → dimmer) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">let</span> <span class="nx">heat</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">birthYear</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">rise</span> <span class="o">=</span> <span class="nf">interp</span><span class="p">(</span><span class="nx">CO2</span><span class="p">,</span> <span class="mi">2026</span><span class="p">)</span> <span class="o">-</span> <span class="nf">interp</span><span class="p">(</span><span class="nx">CO2</span><span class="p">,</span> <span class="nx">birthYear</span><span class="p">);</span> <span class="nx">heat</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">rise</span> <span class="o">/</span> <span class="mi">90</span><span class="p">,</span> <span class="mf">0.58</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> The CO₂ number </h3> <p>The original version looped through seasonal offsets forever, making the number tick up and down endlessly. That felt anxious and wrong.</p> <p>The fix: count up once with a cubic ease-out, then lock the value and add a <strong>pure CSS pulse</strong> — no more JS interval touching the text:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">tick</span> <span class="o">=</span> <span class="p">(</span><span class="nx">now</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">p</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">((</span><span class="nx">now</span> <span class="o">-</span> <span class="nx">start</span><span class="p">)</span> <span class="o">/</span> <span class="mi">1800</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ease</span> <span class="o">=</span> <span class="mi">1</span> <span class="o">-</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">pow</span><span class="p">(</span><span class="mi">1</span> <span class="o">-</span> <span class="nx">p</span><span class="p">,</span> <span class="mi">3</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`+</span><span class="p">${(</span><span class="nx">target</span> <span class="o">*</span> <span class="nx">ease</span><span class="p">).</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">1</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">p</span> <span class="o">&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="nf">requestAnimationFrame</span><span class="p">(</span><span class="nx">tick</span><span class="p">);</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">el</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="s2">`+</span><span class="p">${</span><span class="nx">target</span><span class="p">.</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">1</span><span class="p">)}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// locked</span> <span class="nx">el</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">breathing</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// CSS pulse only</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@keyframes</span> <span class="n">co2Breathe</span> <span class="p">{</span> <span class="err">0</span><span class="o">%,</span> <span class="err">100</span><span class="o">%</span> <span class="p">{</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">scale</span><span class="p">(</span><span class="m">1</span><span class="p">);</span> <span class="nl">filter</span><span class="p">:</span> <span class="n">drop-shadow</span><span class="p">(</span><span class="m">0</span> <span class="m">0</span> <span class="m">0px</span> <span class="n">rgba</span><span class="p">(</span><span class="m">192</span><span class="p">,</span><span class="m">64</span><span class="p">,</span><span class="m">48</span><span class="p">,</span><span class="m">0</span><span class="p">));</span> <span class="p">}</span> <span class="err">50</span><span class="o">%</span> <span class="p">{</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">scale</span><span class="p">(</span><span class="m">1.028</span><span class="p">);</span> <span class="nl">filter</span><span class="p">:</span> <span class="n">drop-shadow</span><span class="p">(</span><span class="m">0</span> <span class="m">0</span> <span class="m">18px</span> <span class="n">rgba</span><span class="p">(</span><span class="m">192</span><span class="p">,</span><span class="m">64</span><span class="p">,</span><span class="m">48</span><span class="p">,</span><span class="m">.45</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Gentle, readable, and the number never changes again.</p> <h3> Sound design </h3> <p>Web Audio API is blocked until a user gesture (browser policy). The fix is <code>audioCtx.resume()</code> which returns a Promise — you must wait for it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">toggle</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">ctx</span><span class="p">.</span><span class="nf">resume</span><span class="p">().</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">gain</span><span class="p">.</span><span class="nx">gain</span><span class="p">.</span><span class="nf">cancelScheduledValues</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">currentTime</span><span class="p">);</span> <span class="nx">gain</span><span class="p">.</span><span class="nx">gain</span><span class="p">.</span><span class="nf">setTargetAtTime</span><span class="p">(</span><span class="mf">0.6</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">currentTime</span><span class="p">,</span> <span class="mf">0.4</span><span class="p">);</span> <span class="nf">updatePitch</span><span class="p">(</span><span class="nx">CO2</span><span class="p">[</span><span class="mi">2026</span><span class="p">]);</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p>Two oscillators detuned by 2.5Hz create a warm beating effect. As the year scrubber moves, <code>setTargetAtTime</code> glides the frequency smoothly rather than jumping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">updatePitch</span><span class="p">(</span><span class="nx">co2</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">t</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">max</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">((</span><span class="nx">co2</span> <span class="o">-</span> <span class="mi">310</span><span class="p">)</span> <span class="o">/</span> <span class="mi">120</span><span class="p">,</span> <span class="mi">1</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">freq</span> <span class="o">=</span> <span class="mi">45</span> <span class="o">+</span> <span class="nx">t</span> <span class="o">*</span> <span class="mi">30</span><span class="p">;</span> <span class="c1">// 45Hz clean → 75Hz tense</span> <span class="nx">osc1</span><span class="p">.</span><span class="nx">frequency</span><span class="p">.</span><span class="nf">setTargetAtTime</span><span class="p">(</span><span class="nx">freq</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">currentTime</span><span class="p">,</span> <span class="mf">1.5</span><span class="p">);</span> <span class="nx">osc2</span><span class="p">.</span><span class="nx">frequency</span><span class="p">.</span><span class="nf">setTargetAtTime</span><span class="p">(</span><span class="nx">freq</span> <span class="o">*</span> <span class="mf">1.045</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">currentTime</span><span class="p">,</span> <span class="mf">1.5</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Architecture </h3> <p>The whole app is structured around a single truth: <code>birthYear</code>. Everything derives from it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App.jsx ├── birthYear (state) ─────────────────────────────┐ ├── Hero → onReveal(year) sets birthYear │ ├── ShockSection ← birthYear │ ├── Toolbar ← country, toggles │ ├── CountryPanel ← birthYear + country │ ├── Scrubber ← birthYear + sliderYear │ ├── ScenarioChart ← birthYear + scenario │ ├── MetricCards ← birthYear + country + modes │ ├── CompareSection ← birthYear │ ├── Quiz ← birthYear (resets questions) │ ├── Timeline ← birthYear (filters events) │ └── ShareCard ← birthYear + country │ ────────────────────────────────┘ </code></pre> </div> <p>No Redux, no Zustand. Just <code>useState</code> in App.jsx with props passed down. The data layer is pure JS objects — no API calls, no loading states, instant renders.</p> <h3> The data </h3> <p>All datasets are annual means from primary sources, hand-curated and interpolated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Linear interpolation across sparse data</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">interp</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="nx">year</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">[</span><span class="nx">year</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="k">return</span> <span class="nx">data</span><span class="p">[</span><span class="nx">year</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">keys</span> <span class="o">=</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">data</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nb">Number</span><span class="p">).</span><span class="nf">sort</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">a</span> <span class="o">-</span> <span class="nx">b</span><span class="p">);</span> <span class="c1">// find surrounding years and lerp</span> <span class="kd">const</span> <span class="nx">t</span> <span class="o">=</span> <span class="p">(</span><span class="nx">year</span> <span class="o">-</span> <span class="nx">lo</span><span class="p">)</span> <span class="o">/</span> <span class="p">(</span><span class="nx">hi</span> <span class="o">-</span> <span class="nx">lo</span><span class="p">);</span> <span class="k">return</span> <span class="nx">data</span><span class="p">[</span><span class="nx">lo</span><span class="p">]</span> <span class="o">+</span> <span class="nx">t</span> <span class="o">*</span> <span class="p">(</span><span class="nx">data</span><span class="p">[</span><span class="nx">hi</span><span class="p">]</span> <span class="o">-</span> <span class="nx">data</span><span class="p">[</span><span class="nx">lo</span><span class="p">]);</span> <span class="p">}</span> </code></pre> </div> <p>This means every year from 1950–2026 returns an accurate value even if we only store data every 5 years.</p> <h3> What I'd do with more time </h3> <ul> <li>SVG world map with country-level temperature choropleth</li> <li>Real Keeling Curve seasonal animation (actual monthly NOAA data)</li> <li>Share to Twitter/X with OpenGraph preview card</li> <li>Offline PWA support — the whole app works without internet anyway</li> </ul> <h2> Design Philosophy </h2> <p><strong>The biggest design decision wasn't technical — it was emotional.</strong></p> <p>Climate data is usually presented as a problem to solve. Numbers, charts, policy. It lands as guilt or numbness.</p> <p>Earth Time Machine tries a different frame: <em>this happened in your lifetime.</em> You were there. The CO₂ that rose, rose while you were alive. The ice that melted, melted while you watched.</p> <p>That's not guilt — it's stakes. And stakes make people want to act.</p> <p>The dark brown/forest green colour palette is intentional. Earth tones. Soil. The feeling of something organic under stress, not cold data on white.</p> <p>The CO₂ number that arrives and pulses — not loops — is intentional. It's not a process. It's a fact. It stays.</p> <h2> Prize Categories </h2> <p>Not submitting to sponsored prize categories — this project uses no third-party AI APIs, authentication services, or blockchain infrastructure. Just the web platform, open climate data, and a weekend.</p> <p><em>Data sources: NOAA Mauna Loa (CO₂), NASA GISTEMP v4 (temperature), NSIDC Sea Ice Index (Arctic ice), FAO FRA 2025 (forest), UN World Population Prospects (population), CSIRO/Church &amp; White 2011 (sea level). All datasets are annual means verified against primary sources.</em></p> <p><em>Built over one weekend for Earth Day 2026. The planet deserved better tooling.</em></p> devchallenge weekendchallenge Sushant Rahate Sun, 01 Mar 2026 19:54:16 +0000 https://dev.to/sushantrahate/js-daily-byte-a-daily-javascript-quote-bot-built-with-github-actions-pol https://dev.to/sushantrahate/js-daily-byte-a-daily-javascript-quote-bot-built-with-github-actions-pol <p><em>This is a submission for the <a href="https://dev.to/challenges/weekend-2026-02-28">DEV Weekend Challenge: Community</a></em></p> <p>👉 <strong>Check it out in action:</strong> <a href="https://t.me/jsdailybyte" rel="noopener noreferrer">https://t.me/jsdailybyte</a></p> <h2> The Community </h2> <p>JS Daily Byte was built for a Telegram Channel of developers who want to stay sharp on JavaScript fundamentals.</p> <p>We didn’t need another course.<br> We didn’t need long threads.</p> <p>We just needed one clear JavaScript concept, delivered daily.</p> <p>Simple. Focused. Practical.</p> <h2> What I Built </h2> <p>JS Daily Byte is a fully automated Telegram bot powered by GitHub Actions.</p> <p>Every day at 13:00 UTC, it:</p> <ul> <li>Reads a quotes.json file</li> <li>Picks a deterministic quote based on the current date</li> <li>Formats it safely for Telegram</li> <li>Sends it to the JS Daily Byte channel</li> </ul> <p>No servers.<br> No hosting.<br> No cron jobs on a VPS.<br> No backend deployment.</p> <p>Just GitHub + Telegram API.</p> <p>Example message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🟡 JS Daily Byte “Every JavaScript program runs inside an execution context with two phases: memory creation and code execution.” </code></pre> </div> <h2> Demo </h2> <p>🔗 Telegram Channel:<br> <a href="https://t.me/jsdailybyte" rel="noopener noreferrer">https://t.me/jsdailybyte</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F45zaefewq8j9e8ybo1li.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F45zaefewq8j9e8ybo1li.png" alt="Telegram Channel"></a></p> <p>(Every day a new JavaScript concept drops automatically.)</p> <h2> Code </h2> <p>The entire project is open on GitHub:</p> <p>👉 <a href="https://github.com/sushantrahate/js-daily-byte" rel="noopener noreferrer">https://github.com/sushantrahate/js-daily-byte</a></p> <p>Key files:</p> <p><code>quotes.json</code> - Stores all JavaScript concepts in a simple array format.<br> <code>.github/workflows/js-daily-byte.yml</code> - GitHub Action that runs daily and handles the entire automation flow.</p> <h2> How I Built It </h2> <p>The stack is intentionally minimal:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlvrm2ujcb92ojbcskj1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvlvrm2ujcb92ojbcskj1.png" alt=" "></a></p> <ul> <li>GitHub Actions → daily scheduler (cron at 13:00 UTC)</li> <li>Node.js (inline script) → reads JSON + generates deterministic index</li> <li>Telegram Bot API → sends formatted message</li> <li>Secrets → bot token + chat ID stored securely</li> </ul> <p>Why GitHub Actions?</p> <p>Because:</p> <ul> <li>It’s free</li> <li>It’s reliable</li> <li>It removes infrastructure complexity</li> </ul> <p>The workflow:</p> <ol> <li>Loads the quotes array from <code>quotes.json</code> </li> <li>Generates a deterministic index using the current UTC date</li> <li>Selects the corresponding quote</li> <li>Escapes HTML to ensure Telegram-safe formatting</li> <li>Sends the formatted message to the Telegram channel via the Bot API using curl.</li> </ol> <p>No database.<br> No server.<br> No maintenance.</p> <p>The entire setup takes under 30 minutes.<br> Perfect for a small but meaningful weekend hack. 😉</p> <h2> Build Your Own in 5 Steps </h2> <ol> <li> <p><strong>Create a Telegram bot (via @ BotFather)</strong></p> <ul> <li>Open Telegram and search <strong>@ BotFather</strong> </li> <li>Run <code>/newbot</code> </li> <li>Set a name (example: <code>JS Byte Bot</code>) and a username ending with <code>bot</code> </li> <li>Copy the API token BotFather gives you (this becomes <code>TG_BOT_TOKEN</code>)</li> </ul> </li> <li> <p><strong>Create a Telegram channel and add the bot</strong></p> <ul> <li>Create a channel (example: <code>JS Daily Byte</code>)</li> <li>Add your bot to the channel</li> <li>Make the bot an admin so it can post messages</li> </ul> </li> <li> <p><strong>Get your Telegram <code>chat_id</code></strong></p> <ul> <li>Send a message in the channel (or mention the bot like <code>@ YourBot hi</code>)</li> <li>Open this URL in a browser: <code>https://api.telegram.org/bot&lt;YOUR_TOKEN&gt;/getUpdates</code> </li> <li>Copy the <code>chat.id</code> value (usually starts with <code>-100...</code>) This becomes <code>TG_CHAT_ID</code> </li> </ul> </li> <li> <p><strong>Add your quotes</strong></p> <ul> <li>Create <code>quotes.json</code> in the repo root</li> <li>Store quotes as a simple array of strings, like: <code>["quote 1", "quote 2", "quote 3"]</code> </li> </ul> </li> <li> <p><strong>Add the GitHub Actions workflow</strong></p> <ul> <li>Create <code>.github/workflows/js-daily-byte.yml</code> </li> <li>Add a scheduled cron job (example: <code>0 13 * * *</code> for 13:00 UTC)</li> <li>Workflow will: <ul> <li>read <code>quotes.json</code> </li> <li>pick the quote for the day</li> <li>send it using Telegram Bot API via <code>curl</code> </li> </ul> </li> </ul> </li> <li> <p><strong>Add GitHub Secrets (required)</strong></p> <ul> <li>Repo → Settings → Secrets and variables → Actions → New repository secret</li> <li>Add: <ul> <li> <code>TG_BOT_TOKEN</code> = your BotFather token</li> <li> <code>TG_CHAT_ID</code> = your channel chat id</li> </ul> </li> </ul> </li> </ol> <p>After that, the bot runs daily automatically. You can also trigger it anytime from the <strong>Actions</strong> tab using <code>workflow_dispatch</code>.</p> <p>That’s it.</p> <h2> Final Thoughts </h2> <p>JavaScript fundamentals aren’t difficult because they’re complex.<br> They’re difficult because we forget them.</p> <p>JS Daily Byte keeps these concepts fresh - one small reminder at a time.</p> <p>You can find more of my work at: <a href="https://sushantrahate.com/" rel="noopener noreferrer">https://sushantrahate.com/</a></p> <p>Happy coding! 😄</p> devchallenge weekendchallenge showdev Sushant Rahate Sun, 28 Dec 2025 16:11:40 +0000 https://dev.to/sushantrahate/i-built-a-100100-google-lighthouse-portfolio-by-keeping-it-boring-2n2l https://dev.to/sushantrahate/i-built-a-100100-google-lighthouse-portfolio-by-keeping-it-boring-2n2l <p>Like most developers, I once believed a portfolio had to be flashy.<br> More animations • More motion • More “wow”<br> And somehow… a Lighthouse score of <strong>62</strong> 😅</p> <p>So this time, I did the opposite.</p> <p>👉 <strong>Portfolio:</strong> <a href="https://sushantrahate.com" rel="noopener noreferrer">https://sushantrahate.com</a><br><br> <em>(Open it alongside this post if you want context.)</em></p> <p>PageSpeed Insights: <a href="https://pagespeed.web.dev/analysis/https-sushantrahate-com/vkyra56xl5?form_factor=desktop" rel="noopener noreferrer">https://pagespeed.web.dev/analysis/https-sushantrahate-com/vkyra56xl5?form_factor=desktop</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkh51umgyckozmtsondln.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkh51umgyckozmtsondln.png" alt="PageSpeed Insights" width="800" height="616"></a></p> <h2> The Real Goal </h2> <p>I didn’t want my portfolio to entertain people.<br><br> I wanted it to <strong>respect their time</strong>.</p> <ul> <li>It should load in milliseconds </li> <li>And the moment it appears, the viewer should feel: <strong>“Okay. I know who this person is.”</strong> </li> </ul> <p>The first screen is the <strong>first impression</strong>.<br> If that moment is unclear, everything after it is noise.</p> <p>So the first screen explains - <em>without asking you to scroll</em>:</p> <ul> <li>who I am </li> <li>what I do </li> <li>what I’m building </li> </ul> <p>No telling. Only proof.</p> <blockquote> <p><strong>“Talk is cheap. Show me the code.” - Linus Torvalds</strong></p> </blockquote> <h2> My Constraints (Intentionally Self-Imposed) </h2> <p>Before writing a single line of code, I set strict rules:</p> <ul> <li>⚡ <strong>100% Google Lighthouse performance</strong> </li> <li>🧠 Only essential information</li> <li>🚫 No heavy frameworks</li> <li>🚫 No animations to wait for</li> <li>🚫 No component libraries</li> <li>🚫 No guessing</li> <li>🚫 No effort required from the viewer</li> <li>✅ Fast even on slow networks</li> </ul> <h2> The Layout: Compact by Design </h2> <p>Once I knew <em>what</em> to show, I focused on <em>how</em>.<br> I chose a <strong>bento grid layout</strong> - compact, high-signal information density.</p> <p>People don’t read websites line by line.<br> They scan, usually in a <strong>Z-pattern</strong>:<br> top-left → top-right<br> then diagonally down<br> then left → right again</p> <p>So I placed sections deliberately to match that flow.</p> <h2> 1. Starting With the Human </h2> <p>The page begins with <strong>who I am</strong>.</p> <ul> <li>I mention <strong>JavaScript</strong>, not a long list of frameworks (tools change, fundamentals don’t)</li> <li>I mention <strong>backend and security</strong> (that’s how I think when building systems)</li> <li>I end with a small personal line - <em>husband, dad</em> to remind there’s a human behind the code</li> </ul> <p>No fluff. Just context.</p> <h2> 2. What I’m Actually Building </h2> <p>At the top, I show what I care about <strong>right now</strong>:</p> <h3> <strong>MatriProfile - my live SaaS</strong> </h3> <p>👉 <a href="https://matriprofile.com" rel="noopener noreferrer">https://matriprofile.com</a></p> <p>A modern, multilingual, privacy-first marriage biodata generator -<br> built <strong>end-to-end by me</strong>.</p> <p>Shipping a real product teaches more than any tutorial or side project ever will:<br> product thinking, user behavior, trade-offs, and long-term maintenance.</p> <h2> 3. Proof Over Promises </h2> <p>I first heard this line in <em>The Social Network</em>, and it stuck:</p> <blockquote> <p><strong>“Talk is cheap. Show me the code.”</strong><br> Instead of listing skills, I show <strong>repositories</strong>.</p> </blockquote> <p>One of them:<br> 👉 <a href="https://github.com/sushantrahate/express-typescript-prisma-postgresql" rel="noopener noreferrer">https://github.com/sushantrahate/express-typescript-prisma-postgresql</a><br> ⭐ It has 27 GitHub stars - but more importantly, it has <strong>intent</strong>.</p> <p>It’s a production-ready backend starter focused on:</p> <ul> <li>clean architecture</li> <li>TypeScript discipline</li> <li>real-world backend patterns</li> </ul> <h2> 4. Writing for Clarity </h2> <p>I also link to articles I’ve written.<br> Because <strong>writing exposes understanding</strong>.<br> If I can explain authentication, access control, or backend trade-offs in simple words,<br> it means I’ve wrestled with those concepts long enough to earn clarity.</p> <p>Finally, social links sit at the bottom.</p> <h2> The Tech Stack </h2> <ul> <li>HTML</li> <li>Tailwind CSS</li> <li>Vanilla JavaScript</li> </ul> <p>JavaScript is loaded with <strong>defer</strong>, so it never blocks rendering.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>&lt;script <span class="nv">src</span><span class="o">=</span><span class="s2">"./script.js"</span> defer&gt;&lt;/script&gt; </code></pre> </div> <p>Fetching GitHub stars is handled carefully:</p> <ul> <li>The API call runs only after the page has fully loaded</li> <li>First paint stays untouched</li> </ul> <h2> Closing Thought </h2> <p>A portfolio doesn’t need to explain everything.<br> It just needs to make the <strong>right impression - fast</strong><br> and give the viewer clear paths to go deeper <em>if they want to</em>.</p> <p>Mine isn’t a big portfolio.<br> It’s simple, clean, and intentional.</p> <p>And sometimes, <strong>boring is exactly what works.</strong></p> <p>GitHub URL: <a href="https://github.com/sushantrahate/portfolio" rel="noopener noreferrer">https://github.com/sushantrahate/portfolio</a></p> <p>I hope this guide helps you. Happy coding! 😄<br> I’d love to connect - whether for work, collaboration, or just to talk systems.</p> webdev performance showdev portfolio Sushant Rahate Mon, 11 Nov 2024 08:41:06 +0000 https://dev.to/sushantrahate/nodejs-authentication-best-practices-and-key-strategies-1npj https://dev.to/sushantrahate/nodejs-authentication-best-practices-and-key-strategies-1npj <p>This article showcases secure login strategies for Node.js, implementing multiple security techniques to safeguard user credentials, sessions, and account access.</p> <h2> Key Security Features </h2> <h3> 1. Password Hashing with Salt </h3> <p>Passwords are hashed using a strong hashing algorithm (e.g., bcrypt) along with a random salt for each password. This ensures that even if the hashed password is compromised, it cannot easily be reversed into the original password.</p> <p><strong>Why its important</strong>:</p> <ul> <li>Prevents plain-text password storage.</li> <li>Salting makes it difficult for attackers to use precomputed hash tables (rainbow tables) to guess passwords.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hashPassword</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">saltRounds</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">genSalt</span><span class="p">(</span><span class="nx">saltRounds</span><span class="p">);</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// Create and save the user in the database</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">User</span><span class="p">({</span> <span class="nx">username</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashPassword</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">newUser</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> <span class="c1">// Login API</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">find</span><span class="p">((</span><span class="nx">u</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">username</span> <span class="o">===</span> <span class="nx">username</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isPasswordValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isPasswordValid</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Incorrect password</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h3> 2. Token-Based Authentication </h3> <p>JWT (JSON Web Token) is used for token-based authentication, allowing stateless authentication between the client and server. Users receive a JWT upon login, which is then sent with every subsequent request in the Authorization header.</p> <p><strong>Why its important:</strong></p> <ul> <li>Stateless: No need for session storage on the server.</li> <li>Secure token can carry claims (user ID, roles) without exposing sensitive information.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">generateToken</span> <span class="o">=</span> <span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="nx">userId</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h3> 3. Refresh Tokens </h3> <p>A refresh token is used to obtain new access tokens without requiring the user to log in again. This ensures a smooth experience for users without compromising security.</p> <p><a href="https://github.com/sushantrahate/jwt-auth-refresh-token-as-http-only-cookie" rel="noopener noreferrer">Here Is Repo for JWT Authentication With Refresh Token as HTTP-only Cookie</a></p> <p><strong>Why its important:</strong></p> <ul> <li>Minimizes exposure by using short-lived access tokens.</li> <li>Refresh tokens are stored more securely (e.g., in a database or HTTP-only cookie).</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">generateRefreshToken</span> <span class="o">=</span> <span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="nx">userId</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h3> 4. HTTP-Only Cookies </h3> <p>Store sensitive tokens such as refresh tokens in HTTP-only cookies. This prevents JavaScript from accessing the tokens, protecting them from XSS (Cross-Site Scripting) attacks.</p> <p><strong>Why its important:</strong></p> <ul> <li>Shields tokens from being stolen by malicious scripts.</li> <li>Reduces the risk of token exposure through client-side code.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">strict</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h3> 5. JWT Blacklisting </h3> <p>JWT tokens do not have built-in revocation. To invalidate tokens (e.g., on logout), JWT blacklisting is used. A database or Redis is used to store invalidated tokens until they expire.</p> <p><strong>Why its important:</strong></p> <ul> <li>Prevents previously issued tokens from being used after logout or account compromise.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">blacklistToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="dl">'</span><span class="s1">blacklisted</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EX</span><span class="dl">'</span><span class="p">,</span> <span class="nx">tokenExpirationTime</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h3> 6. Single Session at a Time </h3> <p>Ensure that only one session is active for a user at any given time. When a new session is created, invalidate previous tokens or sessions.</p> <p><strong>Why its important:</strong></p> <ul> <li>Prevents concurrent logins from multiple devices or locations, enhancing account security.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Schema for User table:</span> <span class="nx">sessionId</span><span class="p">:</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="nx">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1">//login API</span> <span class="kd">const</span> <span class="nx">newSessionId</span> <span class="o">=</span> <span class="nf">generateAccessToken</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="nx">user</span><span class="p">.</span><span class="nx">sessionId</span> <span class="o">=</span> <span class="nx">newSessionId</span><span class="p">;</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> <span class="c1">// Auth API</span> <span class="kd">const</span> <span class="nx">decodedToken</span><span class="p">:</span> <span class="kr">any</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ACCESS_TOKEN_SECRET</span><span class="o">!</span><span class="p">);</span> <span class="c1">// Replace with your JWT secret key</span> <span class="kd">const</span> <span class="nx">sessionIdFromToken</span> <span class="o">=</span> <span class="nx">decodedToken</span><span class="p">.</span><span class="nx">sessionId</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">sessionId</span> <span class="o">!==</span> <span class="nx">sessionIdFromToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Session invalidated. You are logged in elsewhere.</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> 7. Ideal Time Session Expiration </h3> <p>Sessions expire after a period of inactivity. Implement a session expiration timer to automatically log out users who are inactive for a predefined time.</p> <p><strong>Why its important:</strong></p> <ul> <li>Reduces the risk of an unauthorized person accessing the session if the user forgets to log out.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">sessionExpirationTime</span> <span class="o">=</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// 15 minutes</span> <span class="kd">const</span> <span class="nx">IDLE_TIMEOUT</span> <span class="o">=</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// User Schema</span> <span class="nl">lastActivity</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">Date</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span> <span class="p">},</span> <span class="c1">// Track last activity timestamp</span> <span class="c1">// in auth middleware</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">idleTime</span> <span class="o">=</span> <span class="nx">now</span> <span class="o">-</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">lastActivity</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">idleTime</span> <span class="o">&gt;</span> <span class="nx">IDLE_TIMEOUT</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Token is still valid, but session is idle for too long</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Session expired due to inactivity</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Else Update last activity timestamp if within idle timeout</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lastActivity</span> <span class="o">=</span> <span class="nx">now</span><span class="p">;</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> </code></pre> </div> <h3> 8. Account Lockout Mechanism </h3> <p>Prevent brute force attacks by locking out accounts after several failed login attempts. Implement time-based lockout, where accounts are temporarily locked after repeated failures.</p> <p><strong>Why its important:</strong></p> <ul> <li>Mitigates brute force attacks by limiting login attempts.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Schema</span> <span class="nx">failedLoginAttempts</span><span class="p">:</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="nb">Number</span><span class="p">,</span> <span class="k">default</span><span class="p">:</span> <span class="mi">0</span> <span class="p">},</span> <span class="nx">lockoutUntil</span><span class="p">:</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="nb">Date</span><span class="p">,</span> <span class="k">default</span><span class="p">:</span> <span class="kc">null</span> <span class="p">},</span> <span class="c1">// Track lockout time</span> <span class="kd">const</span> <span class="nx">MAX_ATTEMPTS</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">LOCK_TIME</span> <span class="o">=</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="err">\</span><span class="nx">_</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// 15 minutes</span> <span class="c1">// Example for MongoDB with Mongoose</span> <span class="kd">const</span> <span class="nx">handleFailedLogin</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">email</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">lockoutUntil</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lockoutUntil</span> <span class="o">&gt;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="c1">// Account is still locked</span> <span class="p">}</span> <span class="nx">user</span><span class="p">.</span><span class="nx">failedLoginAttempts</span> <span class="o">+=</span> <span class="mi">1</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">failedLoginAttempts</span> <span class="o">&gt;=</span> <span class="nx">MAX_ATTEMPTS</span><span class="p">)</span> <span class="p">{</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lockoutUntil</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nx">LOCK_TIME</span><span class="p">);</span> <span class="c1">// Lock for 30 mins</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> <span class="k">return</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lockoutUntil</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lockoutUntil</span> <span class="o">&gt;</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="c1">// Return if account is locked</span> <span class="p">};</span> <span class="c1">// Reset login attempts if the login is successful</span> </code></pre> </div> <h3> 9. Secure Password Reset Procedures </h3> <p>Users can reset their passwords through a secure process. Use a time-limited, one-time token (OTP) sent to the user's email for the reset process. Ensure the reset token expires after a short period.</p> <p><strong>Why its important:</strong></p> <ul> <li>Provides users a secure way to recover accounts without compromising security.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// User Schema</span> <span class="nx">resetPasswordToken</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="nx">resetPasswordExpires</span><span class="p">:</span> <span class="nb">Date</span><span class="p">,</span> <span class="cm">/* Use crypto.randomBytes() to generate a secure hex instead of Math.random(), Math.random() hex are easier for attackers to guess or brute force. */</span> <span class="kd">const</span> <span class="nx">generateResetToken</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">20</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nf">generateResetToken</span><span class="p">();</span> <span class="nx">user</span><span class="p">.</span><span class="nx">resetPasswordExpires</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">3600000</span><span class="p">;</span> <span class="c1">// 1 hour from now</span> </code></pre> </div> <h3> 10. Password Expiration and Restricting Past 3 Passwords </h3> <p>Here's how this works:</p> <ol> <li><strong>Password History:</strong></li> </ol> <ul> <li>The system stores the last three hashed passwords in a user's password history.</li> <li>When a user attempts to set a new password, the system compares the new password against these previous passwords to prevent reuse.</li> </ul> <ol> <li> <strong>Password Expiration:</strong> <ul> <li>The system tracks how long a user has been using their current password.</li> <li>After a set period (e.g., 1 month), the system sends a notification prompting the user to change their password.</li> <li>If the password is not updated within a given grace period, access may be restricted until a new password is set. </li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Schema</span> <span class="nx">passwordHistory</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span> <span class="p">}],</span> <span class="c1">// Array to store past 3 password hashes</span> <span class="nx">passwordUpdatedAt</span><span class="p">:</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="nb">Date</span><span class="p">,</span> <span class="k">default</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span> <span class="p">},</span> <span class="c1">// When the password was last updated</span> <span class="c1">// You can Check Expiration on Login or have a corn job to find and notify users via email.</span> </code></pre> </div> <h3> 11 . Implementing Strong Password Policies </h3> <p>Strong password policies help prevent unauthorized access and minimize the risk of brute-force attacks, dictionary attacks, and credential stuffing.</p> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">validator</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">validator</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">User@1234</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span> <span class="o">!</span><span class="nx">validator</span><span class="p">.</span><span class="nf">isStrongPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="p">{</span> <span class="na">minLength</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span> <span class="na">minLowercase</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">minUppercase</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">minNumbers</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">minSymbols</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">})</span> <span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Password does not meet complexity requirements.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 12. User-Specific Token Revocation </h3> <p>User-specific token revocation is the process of invalidating a single user’s tokens without affecting others.</p> <p>It’s useful in cases like:</p> <ul> <li>Suspicious activity detected on an account</li> <li>A user requests token revocation for security</li> <li>The account is disabled or suspended</li> <li>A token is stolen or leaked</li> </ul> <p>How it Works:</p> <ol> <li>Token Structure:</li> </ol> <p>Tokens (e.g., JWTs) contain user data and a tokenVersion. The tokenVersion is stored in the database to track the validity of tokens for each user.</p> <ol> <li>Token Verification:</li> </ol> <p>When a request is made, the server decodes the token and compares the tokenVersion in the token with the version stored in the database. If they match, the token is valid; if not, the token is invalidated.</p> <ol> <li>Token Revocation:</li> </ol> <p>To revoke all tokens for a user, simply increment the tokenVersion in the database. All tokens with the previous version are automatically invalidated.</p> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Schema: token_version INT DEFAULT 1</span> <span class="c1">// JWT Creation</span> <span class="kd">const</span> <span class="nx">createToken</span> <span class="o">=</span> <span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">tokenVersion</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">tokenVersion</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">});</span> <span class="p">};</span> <span class="c1">// Token Validation</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">tokenVersion</span> <span class="o">!==</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">tokenVersion</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid token: version mismatch</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// To revoke, increment tokenVersion</span> <span class="nx">user</span><span class="p">.</span><span class="nx">tokenVersion</span><span class="o">++</span><span class="p">;</span> </code></pre> </div> <h3> 13. Cross-Origin Resource Sharing (CORS) Configuration </h3> <p>Configure CORS to restrict which origins are allowed to access the API. Only trusted domains should be allowed to send requests to your server.</p> <p><strong>Why its important:</strong></p> <ul> <li>Prevents unauthorized sites from making requests to your server.</li> <li>Protects against CSRF (Cross-Site Request Forgery) attacks.</li> </ul> <p>Implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">cors</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cors</span><span class="dl">'</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nf">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-frontend-domain.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>Also read <a href="https://dev.to/sushantrahate/role-based-access-control-rbac-with-feature-centric-approach-oj5">Role-Based Access Control with Feature-Centric Approach</a></p> <p>Check out my GitHub profile: <a href="https://github.com/sushantrahate" rel="noopener noreferrer">https://github.com/sushantrahate</a></p> <p>I hope this guide helps you. Happy coding! 😄</p> javascript authentication node security Sushant Rahate Sat, 09 Nov 2024 19:01:50 +0000 https://dev.to/sushantrahate/role-based-access-control-rbac-with-feature-centric-approach-oj5 https://dev.to/sushantrahate/role-based-access-control-rbac-with-feature-centric-approach-oj5 <p>In this article, we’ll explore how to set up a Role-Based Access Control (RBAC) system where features are a central part. We'll go through defining modules, associating features, assigning roles with specific features, and finally assigning roles to users. This example uses JSON data to keep things simple and adaptable, <strong>allowing for scalable access control without requiring any changes for new roles on the frontend</strong></p> <p><a href="https://sushantrahate.github.io/role-based-access-control/" rel="noopener noreferrer">Live Demo</a></p> <h2> 1. Define Modules and Features </h2> <p>Modules group similar features together. Each module can contain multiple features representing actions that users can perform.</p> <p>JSON Structure for Modules and Features:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"modules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Users"</span><span class="p">,</span><span class="w"> </span><span class="nl">"features"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"view-users"</span><span class="p">,</span><span class="w"> </span><span class="s2">"edit-users"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Reports"</span><span class="p">,</span><span class="w"> </span><span class="nl">"features"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"view-reports"</span><span class="p">,</span><span class="w"> </span><span class="s2">"edit-reports"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li> <strong>Modules:</strong> Represents a specific area of the application, like "Users" or "Reports."</li> <li> <strong>Features:</strong> Actions within each module, such as <code>view-users</code> and <code>edit-users</code> for the <code>Users</code> module.</li> </ul> <h2> 2. Create Roles and Assign Features </h2> <p>Next, create roles that define sets of features. Each role will have a list of permissions that grant access to specific features within the modules.</p> <p>JSON Structure for Roles and Permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"view-users"</span><span class="p">,</span><span class="w"> </span><span class="s2">"edit-users"</span><span class="p">,</span><span class="w"> </span><span class="s2">"view-reports"</span><span class="p">,</span><span class="w"> </span><span class="s2">"edit-reports"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Viewer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"view-users"</span><span class="p">,</span><span class="w"> </span><span class="s2">"view-reports"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li> <strong>Roles:</strong> Represent groups with specific access rights, like "Admin" and "Viewer."</li> <li> <strong>Permissions:</strong> Specify which features each role has access to, allowing for flexible permission settings.</li> </ul> <p><em>By defining roles, you can manage access control efficiently without modifying each user's permissions.</em></p> <h2> 3. Assign Roles to Users </h2> <p>After creating roles, assign them to users. Each user will inherit the permissions granted by their role.</p> <p>JSON Structure for Users and Role Assignments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"users"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sushant"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roleId"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Raghav"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roleId"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li> <strong>Users:</strong> Represent individuals who will access the application.</li> <li> <strong>RoleId:</strong> Links each user to a specific role, determining their feature access.</li> </ul> <p><em>With this structure, you can easily update roles to grant or restrict access for multiple users simultaneously.</em></p> <h2> 4. Setting Up Access Control Logic in the Frontend </h2> <p>On the frontend, access to each feature is checked based on the user's role. Here’s how to securely handle user access based on their assigned role.</p> <ul> <li> <strong>Fetch Role Permissions:</strong> When a user logs in, retrieve their role's permissions from the backend.</li> <li> <strong>Store Permissions Locally:</strong> For session-based access control, store permissions in a secure format (such as JWT or session storage).</li> <li> <strong>Conditional Rendering:</strong> For each section or feature, check if the user has permission to view or edit it.</li> </ul> <p>Example Access Check in JavaScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">userPermissions</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">view-users</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">edit-users</span><span class="dl">"</span><span class="p">];</span> <span class="c1">// Loaded from backend based on role</span> <span class="k">if </span><span class="p">(</span><span class="nx">userPermissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">view-users</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Render the user view section</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">userPermissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">edit-users</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Render the user edit section</span> <span class="p">}</span> </code></pre> </div> <p><em>Using a role-based check in the frontend ensures that users only see features they’re permitted to access.</em></p> <h2> Backend Validation </h2> <p>While this example focuses on the frontend, validating user roles and permissions should also happen on the backend. Backend validation should re-check feature access on every request, helping to prevent any unauthorized data or feature access</p> <h2> <strong>Pros and Cons</strong> </h2> <p><strong>Pros</strong></p> <ul> <li><p><strong>Fine-Grained Access Control:</strong> This approach allows you to control user access on a feature-by-feature basis, which is more flexible than traditional role-based access control.</p></li> <li><p><strong>Scalability:</strong> New features and modules can easily be added to the system, and roles can be adjusted without significant backend changes.</p></li> <li><p><strong>Improved Security:</strong> By combining frontend validation and strict backend checks, this system helps prevent unauthorized access to restricted features.</p></li> </ul> <p><strong>Cons</strong></p> <ul> <li> <strong>Complexity:</strong> Feature-based access control can become complex, especially as the number of modules, features, and roles increases. Proper planning and documentation are essential to prevent it from becoming difficult to manage.</li> </ul> <h2> Conclusion </h2> <p>Role-Based Access Control (RBAC) with a feature-centric approach offers a scalable and efficient way to manage user permissions. By defining modules and features, setting up roles, and assigning or updating features to roles, you can easily create and manage custom roles without requiring any new changes in the frontend.</p> <p>Check out my GitHub profile: <a href="https://github.com/sushantrahate" rel="noopener noreferrer">https://github.com/sushantrahate</a></p> <p>I hope this guide helps you. Happy coding! 😄</p> javascript rbac tutorial security