Auth Session and Role Drift
Runbook for stale role claims, incorrect admin gating, and mismatches between live org roles and token claims.
What It Is
Use this runbook when a user is clearly an admin in one part of the platform but another service still treats them as a lower-privilege role.
How It Works
This usually happens when a service trusts stale token claims or locally cached role state instead of preferring fresh Auth validation output.
Interfaces
- Auth validate route
- shared auth middleware
- service-specific admin gates
Data Flow
- The client sends a token or session cookie to a service.
- The service or middleware resolves user context.
- The service applies admin/owner or explicit permission checks.
Failure Modes
- stale token claims override fresh role state
- middleware prefers local token data instead of Auth validation
- service-specific admin gate checks the wrong role field
Debugging
- verify the current org role in Auth
- inspect middleware precedence between local JWT decode and Auth validation
- inspect the target service’s admin gate and permission check
- compare the live user context returned by Auth with the one used by the service
Change Log / Verification
- Verified against the CRM admin-access regression and fix on 2026-03-29