prisma-rls
Advanced tools
🚧 The package is under active development, public api could be changed
The classic approach to implementing Row-Level Security (RLS) requires a database with built-in support and writing row-level security policies for tables.
This library offers an alternative approach - an extension to the Prisma client that adds additional "where" clauses to all model queries. This approach doesn't require RLS support on the database side (for example, in MySQL).
It's important to keep in mind that this extension doesn't cover raw queries. In such cases, you should take care of it yourself or use classic approach.
Define permissions for all models in your schema.
import { Prisma } from "@prisma/client";
import { PermissionsConfig } from "prisma-rls";
export type Context = Record<string, any>;
type RolePermissions = PermissionsConfig<Prisma.TypeMap, Context>;
export const Guest: RolePermissions = {
Post: {
read: { published: { equals: true } },
create: false,
update: false,
delete: false,
},
User: {
read: { role: { not: { equals: "admin" } } },
create: false,
update: false,
delete: false,
},
}
Extend the Prisma client with the rls extension.
import { Prisma, PrismaClient } from "@prisma/client";
import { createRlsExtension } from "prisma-rls";
import { Guest } from "./permissions/guest";
const context: Context = {};
const db = new PrismaClient().$extends(createRlsExtension(Prisma.dmmf, Guest, context));
After that all requests except raw will be executed according to permissions
Almost always you will have several roles, to describe them in a type-safe way use the following pattern:
import { admin } from "./admin";
import { guest } from "./guest";
type Role = "Admin" | "Guest";
type PermissionsRegistry = Record<Role, RolePermissions>;
export const permissionsRegistry = {
Admin: admin,
Guest: guest,
} satisfies PermissionsRegistry;
Since Prisma doesn't support context to pass data to the extensions, you will typically extend the client per request (based on role associated with auth token):
import { Prisma, PrismaClient } from "@prisma/client";
import Fastify, { FastifyRequest } from "fastify";
import { createRlsExtension } from "prisma-rls";
import { permissionsRegistry } from "./permissions";
(async () => {
const prisma = new PrismaClient();
const server = Fastify();
const resolveConext = (request: FastifyRequest) => {
const role = resolveRole(request.headers.authorization);
const rolePermissions = permissionsRegistry[role];
return { db: prisma.$extends(createRlsExtension(Prisma.dmmf, rolePermissions, { role })) };
}
server.get('/post/count', async function handler(request, reply) {
const { db } = resolveContext(request);
return await db.post.count();
})
await server.listen({ port: 8080, host: "0.0.0.0" });
})();
FAQs
Prisma client extension for row-level security on any database
The npm package prisma-rls receives a total of 192 weekly downloads. As such, prisma-rls popularity was classified as not popular.
We found that prisma-rls demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Newly introduced telemetry in devenv 1.4 sparked a backlash over privacy concerns, leading to the removal of its AI-powered feature after strong community pushback.
Security News
TC39 met in Seattle and advanced 9 JavaScript proposals, including three to Stage 4, introducing new features and enhancements for a future ECMAScript release.
Security News
Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.