casbin.js

Casbin.js

Casbin.js is a frontend port of a backend Casbin service, which facilitates the manipulation, management and storage of the user permission in a frontend application.

Example

We demostrate the usage of Casbin.js with a React app. View the code to see more details.

You can use manual mode in Casbin.js, and set the permission whenever you wish.

const casbinjs = require('casbin.js');

// Set the user's permission:
// He/She can read 2 objects: data1 and data2
// Can write 1 objects: data1
const permission = {
    "read": ['data1', 'data2'],
    "write": ['data1']
}

// Run casbin.js in manual mode, which requires you to set the permission manually.
const authorizer = new casbinjs.Authorizer("manual");

authorizer.setPermission(permission);
console.log(authorizer.can("read", "data1"));
console.log(authorizer.cannot("write", "data2"));

You can also use the auto mode. In details, specify an casbin backend service endpoint when initialize the Casbin.js authorizer, and set the subject when the frontend user identity changes. Casbin.js will automatically fetch the permission from the endpoint. (A pre-configurated casbin service API is required at the backend.)

const casbinjs = require('casbin.js');

// Set your backend casbin service url
const authorizer = new casbinjs.Authorizer('auto', {endpoint: 'http://Domain_name/casbin/api'});

// When the identity shifts, reset the user. Casbin.js will automatically fetch the permission from the endpoint.
authorizer.setUser("Tom");

// Evaluate the permission
authorizer.can("read", "data1");

More functionalities of Casbin.js are still under development. Feel free to raise issues to share your features suggestions!

TODO MAP

• Permission cache.
• Integration with other modern frontend frameworks.

Backup

For short, Casbin.js is an addon that extend Casbin access management to the frontend. Casbin.js itself doesn't support the functionalities like diverse access-control models, authorization enforcement, etc.

Why Casbin.js? Normally, it is not proper to directly build up a Casbin service and do the authorization/enforcement tasks at a web frontend application due to the following problems:

1. When someone turn on the client, the enforcer will be initialized, and it will pull all the policies from the backend persistent layers. A high concurrency could bring tough pressure on the databases and cost a lot of network throughput. 
2. Loading all policies to the client sides could bring secure risks.

We wish to come up with a tool that eases the process of using Casbin at the frontend. Casbin.js is responsible for the manipulation of current user's permission at the client side. As you mentioned, Casbin.js does a fetch from a specified endpoint. This procedure will sync the permission of the user with the backend Casbin service. After having the permission data, developers can use Casbin.js interfaces to manage the behaviors of the user at the frontend side.

Casbin.js avoid the two problems that mentioned above: Casbin service will no longer be pulled up repeatedly, and the size of passing messages between the client and the server are reduced. We also avoid to store all the policies at the frontend. User can only accessible to his own permission, but have no idea about anything about things like the access-control model and other users' permissions.

We believe Casbin.js can efficiently decouple the client and the server in authorization management.

The development of Casbin.js is still on going, and many features are under discussion. It would be greatly appreciated if you could raise issues in the repo or share your opinions with us.