This is a submission for the Permit.io Authorization Challenge: Permissions Redefined

What I Built

Portfolithonica: A Permission-Aware Jam Platform

You know what I've done a lot?
lose game jams and hackathons.
So this one is about making game jams, to create one, enter a submission, judge it, and win.

🧱 The Stack

  • Frontend: lovable, tsx, React

  • Backend: Node.js + Express proxy

  • Permit PDP: Docker container (works great locally, not separately hosted… details below)

  • Permit Cloud: For managing roles, resources, and policies

🎯 The Goal

It's gotta be obvious that it works.
without me hardcoding access logic all over
Organizers can edit the jam and judging, issue late submission links.
participants

🛠️ How I Built It

  • So I made a proxy server, because API keys.
  • Is that the correct decision? ask me later. currently it probably isn't hosted, but what definitely isn't:

  • PDP (Policy Decision Point) runs locally in Docker — lovable didn't work with this the first time I tried, but at least it works on my machine

  • Defined resources like jam and submission, and actions like create, judge, update.

  • Set up global roles (e.g. organizer) and contextual roles (jam#participant, etc).

  • Used derivation rules — if you’re a jam#participant, you automatically get access to submission# for that jam.

⚠️ The Sticktion

  • **CORS a couple times.. Had to explicitly allow Pragma headers.

  • Platform constraints - host the PDP / proxy? elsewhere (Fly.io, Render, etc).

  • Derivations don’t imply permissions. Just because submission#participant is derived from jam#participant doesn’t mean it can create or update. You still need to explicitly grant those actions.

  • Random 500s until I increased the PDP SDK timeout to 5000ms.

✅ What’s Working

  • Organizers can create/manage jams not anymore, actually
  • Participants can submit entries (if allowed) player can mutate any rn, ownership based or role based

  • Role-checking is fully dynamic

  • UI adapts based on permissions (canUpdateJam, canJudgeSubmissions, etc) probably should not have done this for development velocity and huh-ness?

🛠️ Still To-Do

  • Submitting content/actual

  • Late submissions as a role-based toggle

  • Eventually: live jam status, feedback, maybe voting

  • persistent storage and entries

How is it?

Permit.io makes it super easy to think in terms of roles and resources, but you need infra that supports the PDP.
Having done auth before, and gotten another project stuck in a bad shared build state, this was a nice approach; and would probably scale well with an umbrella project

Demo

Image description

Image description

Project Repo

https://github.com/instancer-kirik/portfolia.git

My Journey

I wanted to win a game jam, so I made a game jam simulator that I can almost win. But then I decided to add db persistence in the last 4 hours, but now, it's time for a post and a demo.
It no longer works for a believable demo, 2 grey loading loop buttons, and no grant organizer button and sleepy. I have only so many prompts and edits and fixes and fx to give.

And also tsx has weird lightmode flashes and theme issues, or maybe that's my fault (probably not)

Using Permit.io for Authorization

it worked actually, used the PDP and dispatched from a proxy server.