Implement Authentication and Access Control for a Civic Portal
Overview
What this challenge is about.
Receive the current Next.js + Express prototype, the data model (residents, requests, documents, audit log), and the 4 staff roles (resident, clerk, supervisor, auditor) with their authorization matrix. Replace the basic-auth implementation with a real auth stack (Clerk, Auth0, or open-source Keycloak — choose and defend). Implement TOTP-based MFA for staff (optional for residents, enforced for supervisor/auditor). Define RBAC policies for the 4 roles with appropriate scope-narrowing (auditors can read but never write). Implement the audit log: every state-changing action records actor, target, timestamp, and IP. Deliver the working auth implementation (forked repo), a 5-page security design doc, the RBAC policy matrix, and a manual-QA checklist for the launch.
The Brief
What you'll do, and what you'll demonstrate.
Implement production-grade authentication, MFA, and RBAC for a civic portal with 4 staff roles and a non-bypassable audit log.
Earning criteria — what you'll demonstrate
- Choose and justify a real auth stack against requirements
- Implement TOTP-based MFA correctly (no replayable secrets)
- Design RBAC with appropriate scope narrowing per role
- Build a tamper-evident audit log that survives a breach
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.