Field-level Access Control List for Node.js and a NoSql back end such as MongoDB. Using this library you can specify role-based permissions on your resources down to the field level for CRUD operations.
The basic idea is that you stop writing explicit authorization logic throughout your codebase regarding the data that different users have access to and how different users can query and modify the data. This can get really complicated and creates a lot of exception cases within your code that must be tested and often create bugs.
Instead, you can simply create a configuration file which can be applied in a generic way for CRUD operations. This will enable you to abstract out a lot of business logic and create a more robust application.
First, install fakeblock as a dependency:
npm install --save fakeblock
Then, create an ACL for a particular resource. For example, something like this for your Mongo users collection:
// users.acl.js
module.exports = {
update: {
access: ['admin', 'poweruser', 'lineworker'],
fields: {
restricted: {
poweruser: ['stats'],
lineworker: ['stats', 'profile']
}
}
}
};
With this, you can then apply the ACL to a given operation like this:
var usersAcl = require('./users.acl');
var Fakeblock = require('fakeblock');
var data = { name: 'Joe', profile: 'me.jpg' };
// a fakeblock instance created for each user and each ACL
var fakeblock = new Fakeblock({
name: 'users',
acl: usersAcl,
userId: currentUser.id,
userRole: currentUser.role
});
// this will throw error because lineworker doesn't have access to update profile
fakeblock.applyAcl(data, 'update');
The basic format of the configuration file is a JSON document with the following hierarchy:
var acl = {
[create|find|update|remove]: {
// roles that have access to this operation
access: ['role1', 'role2'],
// as it makes sense for diff operations (i.e. select only for find)
[select|where|fields|sort]: {
// optional, used when roles should only have access to their own stuff
onlyMine: {
roles: ['role1'],
field: 'createUserId' // createUserId is the default
},
// this says that role2 can't access field1 or field2.blah
restricted: {
role2: ['field1', 'field2.blah']
}
// this says role1 can ONLY access field3 or field4.blah
allowed: {
role1: ['field3', 'field4.blah']
}
// this is saying that if role3 has no input data to applyAcl, then use this default value
'default': {
role3: ['-author', '-another']
}
}
}
};
FAQs
Field-level ACL library for Node.js and NoSql document stores
The npm package fakeblock receives a total of 21 weekly downloads. As such, fakeblock popularity was classified as not popular.
We found that fakeblock demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.