access-weaver
Advanced tools
A lightweight and flexible access control middleware for Node.js and Express, supporting policy-based authorization
Access Weaver is a lightweight, declarative authorization middleware for Express.js.
It helps you weave access control policies into your routes using simple, rule-based flows.
🔑 Declarative rules with allow / deny effects.
🎯 Resource-based access with wildcards (*).
⚡ Express.js middleware with simple setup.
🧩 Flexible targets (static or dynamic from req).
🧪 Easy to test with SuperTest and Jest.
npm install access-weaver
or
yarn add access-weaver
Policies are collections of flow rules:
const allowInvoiceRead = [
{
effect: "allow",
action: "invoice.read",
target: "invoice:*",
},
];
const denyInvoiceRead = [
{
effect: "deny",
action: "invoice.read",
target: "invoice:*",
},
];
Attach policies to the req.user object:
app.use((req, _res, next) => {
req.user = {
id: "u1",
// Use like this
policies: allowInvoiceRead,
};
next();
}
);
Use the authorize middleware:
import express from "express";
import {authorize} from "access-weaver";
const app = express();
app.get(
"/invoice/:id",
authorize({
action: "invoice.read",
target: (req) => `invoice:${req.params.id}`, // -> always do this when getting single data so that if any policy restrict someone it would work automatically
}),
(req, res) => {
res.json({data: `Invoice data for ${req.params.id}`});
}
);
app.delete(
"/users/delete/:id",
authorize({
action: "users.delete",
target: (req) => `users:${req.params.id}`,
}),
(req, res) => {
res.json({data: `User deleted with id ${req.params.id}`});
}
);
app.get(
"/users",
authorize({
action: "users.read",
target: () => `users:*`,
}),
(req, res) => {
res.json({data: [{id: 1}, {id: 2}, {id: 3}]});
}
);
app.get(
"/users/:id",
authorize({
action: "users.read",
target: (req) => `users:${req.params.id}`,
}),
(req, res) => {
res.json({data: {userId: req.params.id}});
}
);
| Policy Name | Action | Target | Effect | Description |
|---|---|---|---|---|
| allowInvoiceRead | invoice.read | invoice:* | allow | Can read all invoices |
| denyInvoiceRead | invoice.read | invoice:* | deny | Cannot read invoices |
| allowInvoiceUpdate | invoice.update | invoice:* | allow | Can update invoices |
| allowUserDeleteWithSpecificId | users.delete | users:101 | allow | Can delete only user with ID 101 |
| allowDeleteAnyUser | users.delete | users:* | allow | Can delete any user |
| allowUserGetAll | users.read | users:* | allow | Can read all users |
| allowSingleUserRead | users.read | users:101 | allow | Can only read user with ID 101 |
import request from "supertest";
it("should allow invoice read when policy permits", async () => {
const app = makeApp(allowInvoiceRead);
const res = await request(app).get("/invoice/123");
expect(res.status).toBe(200);
expect(res.body).toEqual({data: "Invoice data for 123"});
});
PRs and issues are welcome! 🎉
If you find a bug or want a feature, open an issue.
MIT © 2025
FAQs
A lightweight and flexible access control middleware for Node.js and Express, supporting policy-based authorization
We found that access-weaver demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.