Proof point β†’ Most products bolt on permissions after launch. I build the policy engine first - because trust is the product.

🩻 Problem

Lemify’s vision - “help consumers get paid for their consumption lifestyle” - implies handling people’s behavioral data and money. That dies instantly without a serious authorization and privacy layer underneath.

πŸ”¨ Solution

A TypeScript Express API where the identity/permissions core is the first milestone:

Architecture Overview

  1. XACML-pattern authorization - a policyDecisionPoint middleware evaluating single or arrayed required permissions against the user’s permission set, separated from a policyEnforcementPoint - decision and enforcement as distinct concerns, with every grant logged to Loggly.
  2. Granular permission model - permission enums and role constants rather than three hardcoded roles.
  3. Ten auth DTOs - register, login, logout, change-password, change-role, deactivate-user, update-permissions, verify-email and more, validated with class-validator in a non-NestJS codebase.
  4. Privacy as schema - user profiles with explicit privacy-settings and social-links DTOs.
  5. Observability utilities - Sentry with profiling, Loggly log shipping, SendGrid - as standard services.

πŸ“œ Philosophy

Authorization is architecture, not middleware. Building the policy layer first - with audit logging of every access decision - is what makes consumer-data products defensible.

πŸŽ“ Key learnings

  • Policy-based access control (PDP/PEP) beyond simple role checks - the pattern regulators actually ask about.
  • DTO-driven validation discipline outside the framework that usually provides it.
  • Designing privacy settings as first-class data, not a settings page afterthought.

πŸ“ˆ Output & impact

  • A small, focused, reusable authorization core - the pattern library for permission-sensitive products that followed.

🌍 Why this matters

Trust, Security & Compliance. Any platform holding financial documents, commitments, or approvals must answer “who could see this, and why?” - in writing, with logs. Under data-protection regimes like the NDPR, fine-grained access control is a legal requirement, not a feature. This is that capability, demonstrated.

πŸš€ Hire me

Handling sensitive user data and need permissions done properly? Let’s talk β†’ Β· See also: Lura Identity Β· The thesis