Product
Reachability for Ruby Now in Beta
Reachability analysis for Ruby is now in beta, helping teams identify which vulnerabilities are truly exploitable in their applications.
By Oskar Haarklou Veileborg -  Nov 17, 2025
🚀 DAY 1 OF LAUNCH WEEK: Reachability for Ruby Now in Beta.Learn more →
@beyonk/sapper-rbac
Advanced tools
RBAC for Sapper
Role-based access control for Sapper. Works on both the server-, and, client-side.
Install
Install as a dev dependency:
npm install --save-dev @beyonk/sapper-rbac
Usage
Define a set of route permissions in your application
- For Sapper to work,
/client/.*is automatically unrestricted.
import { Router } from '@beyonk/sapper-rbac'
const routes = new Router()
.unrestrict('/login.*')
.restrict('/admin/sales.*', [ 'admin', 'sales' ])
.restrict('/admin.*', ['admin'])
.restrict('.*', [ 'customer' ])
.build()
export default routes
For the server-side
import { guard } from '@beyonk/sapper-rbac'
import routes from './my-routes.js'
const app = polka()
.use(
sessionMiddleware,
(req, res, next) => {
const options = {
routes,
deny: () => {
res.writeHead(302, { Location: '/login' })
return res.end()
},
grant: () => {
return sapper.middleware({
session: () => (res.user ? { user: res.user } : {})
})(req, res, next)
}
}
return guard(req.path, res.user, options)
}
)
sessionMiddleware
This middleware adds a user object at res.user (or null if the request isn't authenticated). The only required attribute of this user is scope which contains a list of authentication scopes that the user has:
function sessionMiddleware (req, res, next) {
res.user = {
scope: ['admin', 'other']
}
next()
}
deny
For cases where the user is denied access, call this function.
The deny function receives two parameters:
deny (path, scope) {
// path: /some/path - the path the user attempted to access
// scope: {
// given: [ 'sales.view', 'booking.create' ] - the scopes the user has
// required: [ 'admin.view' ] - the scopes the user required
// }
}
grant
For cases where the user is granted access, call this function.
For the client-side
On the client side, we integrate with the page store in the root _layout.svelte:
import routes from './my-routes.js'
import { guard } from '@beyonk/sapper-rbac'
import { tick } from 'svelte'
import { stores, goto } from '@sapper/app'
const { page, session } = stores()
const options = {
routes,
deny: () => goto('/login')
// we don't specify grant here, since we don't need to do anything.
}
// Listen to the page store.
page.subscribe(async v => {
await tick() // let the previous routing finish first.
guard(v.path, $session.user, options)
})
FAQs
Role-based authentication for Sapper
We found that @beyonk/sapper-rbac demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 12 Dec 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects
Malicious npm packages use Adspect cloaking and fake CAPTCHAs to fingerprint visitors and redirect victims to crypto-themed scam sites.
By Olivia Brown -  Nov 17, 2025
Security News
Another Round of TEA Protocol Spam Floods npm, But It’s Not a Worm
Recent coverage mislabels the latest TEA protocol spam as a worm. Here’s what’s actually happening.
By Philipp Burckhardt -  Nov 14, 2025