NestJS RBAC Authorization
Simple RBAC Implementation for NestJS that allowes you to define required permissions as glob pattern on controllers and routes and validate it with the builtin AuthGuard
Warning
This library is for experimentation and may contain some bugs that I will remove from time to time.
With this library I'm learning how dependency injection works and how to build such libraries according to "best practice".
So please use this library with caution.
Information
If you want to use the old RBAC system, please use v0.1.4 because v1.X.X uses a new system with a dot notation (e.g.: foo.bar.*)
Installation
npm i @marxlnfcs/nest-rbac-auth
Usage
Import Module
import { RbacModule } from '@marxlnfcs/nest-rbac-auth';
@Module({
imports: [
RbacModule.forRoot()
]
})
export class AppModule {}
Controller
import { RbacSection, RbacRequires } from '@marxlnfcs/nest-rbac-auth';
@Controller('/users')
@RbacSection('access', 'Access Management')
@RbacSection('user', 'User')
export class UserController {
@Get()
@RbacRequires('list', 'Can list users')
getUsers(){ ... }
@Get('/:userId')
@RbacRequires('GET', 'Can retrieve a user')
getUser(...){ ... }
@Post('/')
@RbacRequires('create', 'Can create a user')
createUser(...){ ... }
@Put('/:userId')
@RbacRequires('update', 'Can update a user')
updateUser(...){ ... }
@Delete('/:userId')
@RbacRequires('delete', 'Can delete a user')
deleteUser(...){ ... }
@Post('/action')
@RbacRequires('custom', 'Can do <custom> action')
customAction(...){ ... }
}
@Controller('/groups')
@RbacSection('access', 'Access Management')
@RbacSection('group', 'Group')
export class GroupController {
...
}
Validate Bindings / Permissions with the BuildIn AuthGuard
import { RbacService, RbacGuard, IRbacValidateRequest } from '@marxlnfcs/nest-rbac-auth';
@Injectable()
export class RoleGuard extends RbacGuard() {
constructor(
private rbacService: RbacService,
){}
validate(request: IRbacValidateRequest): boolean | Promise<boolean> | Observable<boolean> {
return this.validateRequest(request, ['*', '!*.create', '!*.update']);
}
}
Skip validation for certain routes
import { RbacSection, RbacRequiresList } from '@marxlnfcs/nest-rbac-auth';
@Controller('/users')
@RbacSection('access', 'Access Management')
@RbacSection('user', 'User')
export class UserController {
@Get()
@RbacRequiresList({ skipValidation: true })
getUsers(){ ... }
}