RBAC
App-wide roles
Built-in roles:super_admin, admin, user.
Use @RequireAppRoles(AppRole.Admin) (or SuperAdmin) with AppRoleGuard on admin routes.
Bootstrap super admin:
Organization roles
Built-in org roles:owner, admin, member, viewer.
Organizations may define custom roles in organization_role with permission strings (for example org:view, billing:read). Assign via member.role using the custom role name.
Validate-session payload
GET /api/validate-session returns:
user,session,orgMemberRolepermissions— app-level fromuser.roleorgPermissions— org-level for the active org (custom role or built-in defaults)
Cache services
| Service | Use |
|---|---|
RateLimitCacheService | Login and OTP rate limits |
OtpCooldownCacheService | OTP send cooldown |
SessionCacheService | Session lookup / invalidation |
ChallengeTokenCacheService | One-time challenge tokens |
fluide-auth:rate:login:ip).