# Auth And Permissions

Authentication and authorization discipline beyond the basics.

## Rules

1. **Authentication proves identity. Authorization proves entitlement.** Logging someone in is not the same as deciding what they can do. Check both, at different layers, for different reasons.

2. **Sessions expire and tokens rotate.** Infinite-lived credentials are breach multipliers. Short-lived access tokens, refresh rotation, and session invalidation on password change are baseline.

3. **Check permissions at the resource, not just the route.** A user authenticated for `/api/projects` must not access project 47 if they only own project 12. Object-level authorization is where most apps leak.

4. **Default deny.** Start with no access and explicitly grant permissions. An allow-list model fails closed. A deny-list model fails open and you won't notice until it's exploited.

5. **Service accounts are first-class identities.** Machine-to-machine auth gets its own credentials, its own scopes, and its own rotation schedule. Hardcoded service tokens are human auth mistakes scaled up.

6. **Auth errors don't leak enumeration.** "User not found" and "wrong password" should look the same to the caller. Different error messages help attackers build user lists.

## What This Replaces

Checking login status and calling it security, route-level auth without resource-level checks, and credentials that never expire.