RBAC
// Definition
Role-Based Access Control — a permission model where access rights are assigned to roles, and users inherit permissions by belonging to one or more roles. A `viewer` role can read resources; an `admin` role can create, update, and delete. In API testing, RBAC tests verify that each role can reach only the endpoints it should: a viewer calling `DELETE /content` should get a 403, not a 200. Broken access control at the object and function level is consistently in the OWASP API Security Top 10.
// Why it matters
RBAC assigns permissions to roles and users inherit them by role. QA's job is the negative matrix: for every role × every protected action, confirm the forbidden combinations actually return 403 — the positive cases usually get tested; the denials are where escalation bugs hide.
// How to test
// Matrix-test denials: a viewer must not reach admin actions
const forbidden = [
{ role: 'viewer', method: 'DELETE', url: '/api/users/9' },
{ role: 'editor', method: 'POST', url: '/api/billing/refund' },
]
forbidden.forEach(({ role, method, url }) =>
cy.request({ method, url, headers: tokenFor(role), failOnStatusCode: false })
.its('status').should('eq', 403)
)// Common mistakes
- Hiding a button in the UI but leaving the API endpoint open
- Testing what each role can do, never what it can't
- Role checks at the route but not on nested/bulk operations
// Related terms
OAuth 2.0
An open delegation protocol that lets users grant third-party applications scoped access to their resources without sharing their password. OAuth 2.0 defines four grant flows — Authorization Code (web apps), Client Credentials (server-to-server), Device Code (CLI tools / TVs), and PKCE (mobile apps). QA engineers test OAuth flows by validating token exchange, scope enforcement, refresh token behaviour, and failure modes like expired tokens, insufficient scopes, and revoked access.
JWT
JSON Web Token — a compact, URL-safe token format for transmitting claims between parties. A JWT has three Base64URL-encoded sections separated by dots: header (signing algorithm), payload (claims like `sub`, `exp`, `roles`), and signature. Because the payload is encoded but not encrypted, any holder of the token can read the claims — never store secrets in a JWT payload. Test JWTs by checking expiry enforcement, algorithm validation (reject `alg: none`), and rejection of tampered signatures.
BOLA (Broken Object Level Authorization)
Ranked #1 in the OWASP API Security Top 10. A BOLA (also called IDOR — Insecure Direct Object Reference) vulnerability exists when an API trusts the object ID in the request rather than checking whether the authenticated user is authorised to access that specific resource. Test by replacing `/users/1/orders/100` with `/users/1/orders/101` (an order belonging to a different user) — a vulnerable API returns a 200; a secure one returns a 403 or 404. The fix is server-side authorisation checks on every object access.