Security Tip: Add Authorisation at the Start!

Let's answer a question raised in episode 89: Money Mindset of the Mostly Technical Podcast. Ian Landsman was working on a new app, and was asking if he should be adding in authorisation gates now, before he works out how permissions will work, or if he should leave the gates out and add them in later when permissions are ready.

This caught my attention, and raised the following question:

Is it a "premature optimisation" to add authorisation (permissions) to your app before you know how your authorisation will be structured, or should you consider authorisation and add placeholders when writing new code and building new features from the start?

To which my answer is:

Yes, put authorisation (or placeholders) in from the start!

Even if you're only using placeholders that return true or fallback to a global permission level (i.e. Edit Game -> View Game -> Active Subscription), there are two main benefits:

1. When you do need to add authorisation, you won't need to manually trawl your code looking for all the areas that need authorisation - and inevitably miss some of them!
2. You'll be designing your code with authorisation in mind, adding in boundaries and segregating different permission-levels of your code from the start, so you don't need to come along later and manually refactor a tightly woven piece of essential functionality to get permissions working.

Ultimately, the term "premature optimisation" just doesn't make sense in a lot of security contexts, because security can't be a reactive process - it needs to be proactive. When it comes to improving performance by adding caches or database indexes, you can wait until your monitoring tools report slow routes, but you can't wait for a data breach to tell you which routes are missing permissions checks.

All of that said, you do need to factor into it what the app does and how complex it is going to be. Will it actually need permissions? Will my placeholders accurately represent the permissions that I might need? Security folks can be very black-and-white about "you need proper authorisation", so you do need to factor in context too.

I would love to hear your thoughts on the subject - do you agree with me, or am I just being paranoid? How do you handle authorisation in a new app? Shout out in the comments or on socials!

If you found this security tip useful, subscribe to get weekly Security Tips straight to your inbox. Upgrade to a premium subscription for exclusive monthly In Depth articles, or drop a coin in the tip jar to show your support.

When was the last time you had a penetration test? Book a Laravel Security Audit and Penetration Test, or a budget-friendly Security Review!

You can also connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.