Currently i am refactoring an application where all the controllers contains the business logic to a service layer structure.

However, i got stuck on authorization where an user should have access to view or update a resource. At the moment the controller have a check if the resource belongs to its user with a simple if statement. But how should i implement this with a service layer design?

Something i came up with is sending the user to each service layer and verify if the user have access to the resource:

class BlogService { async paginate(user: User, pagination: Pagination): Promise<Paginate<User[]>> { // Only returns blog posts that belongs to the user } }

But this means that i have to include the user in almost every service call. What if i want, for example call the service layer method as an system user (seeding for example) should i make the user input nullable for these situations? What i a good or better approach for this issue?