Back to Projects

Auth & Access Control System

A secure authentication and permission layer for a mapping platform, covering JWT lifecycle, refresh tokens, RBAC, and password recovery.

Next.jsDjango REST FrameworkJWTPythonAuthentication

Overview

At Mapersive, the platform needed a solid authentication system before broader development could proceed. My work focused on building the auth and access control layer from the ground up: login, session management, role enforcement, and password recovery.

Solution

JWT Authentication with Refresh Tokens

I implemented a token-based authentication flow using Django REST Framework and djangorestframework-simplejwt:

  • Login returns a short-lived access token and a longer-lived refresh token
  • Refresh tokens are rotated on use — each refresh issues a new pair and invalidates the old refresh token
  • Logout blacklists the refresh token, preventing reuse

Role-Based Access Control

Users were assigned roles: admin, editor, and viewer. Each role mapped to a set of permissions enforced at the API level.

Password Reset Flow

The password reset system used a time-limited, single-use token with proper handling of edge cases: expired tokens, already-used tokens, non-existent email addresses.

Testing

I built a Postman collection covering the full auth flow including edge cases before handoff.

Tech Stack

  • Backend: Django REST Framework
  • Auth Library: djangorestframework-simplejwt
  • Frontend: Next.js
  • Testing: Postman

What I Learned

  • Auth systems have a lot of surface area — the happy path is easy, the edge cases take time
  • Security decisions are tradeoffs, not absolutes
  • Testing auth systematically is what separates a working implementation from a secure one