Role, Attribute and conditions based Access Control for Node.js
npm i role-acl --save
Many RBAC (Role-Based Access Control) implementations differ, but the basics is widely adopted since it simulates real life role (job) assignments. But while data is getting more and more complex; you need to define policies on resources, subjects or even environments. This is called ABAC (Attribute-Based Access Control).
With the idea of merging the best features of the two (see this NIST paper); this library implements RBAC basics and also focuses on resource, action attributes and conditions.
This library is an extension of AccessControl. But I removed support for possession and deny statements from orginal implementation.
ac.can(role).execute('create').on(resource)const AccessControl = require('role-acl');
// or:
// import { AccessControl } from 'role-acl';
Define roles and grants one by one.
const ac = new AccessControl();
ac.grant('user') // define new or modify existing role. also takes an array.
.execute('create').on('video') // equivalent to .execute('create').on('video', ['*'])
.execute('delete').on('video')
.execute('read').on('video')
.grant('admin') // switch to another role without breaking the chain
.extend('user') // inherit role capabilities. also takes an array
.execute('update').on('video', ['title']) // explicitly defined attributes
.execute('delete').on('video');
const permission = ac.can('user').execute('create').on('video');
console.log(permission.granted); // —> true
console.log(permission.attributes); // —> ['*'] (all attributes)
permission = ac.can('admin').execute('update').on('video');
console.log(permission.granted); // —> true
console.log(permission.attributes); // —> ['title']
Define roles and grants one by one.
const ac = new AccessControl();
ac.grant('user').condition(
{
Fn: 'EQUALS',
args: {
'category': 'sports'
}
}).execute('create').on('article');
let permission = ac.can('user').context({ category: 'sports' }).execute('create').on('article');
console.log(permission.granted); // —> true
console.log(permission.attributes); // —> ['*'] (all attributes)
permission = ac.can('user').context({ category: 'tech' }).execute('create').on('article');
console.log(permission.granted); // —> false
console.log(permission.attributes); // —> []
Check role permissions for the requested resource and action, if granted; respond with filtered attributes.
const ac = new AccessControl(grants);
// ...
router.get('/videos/:title', function (req, res, next) {
const permission = ac.can(req.user.role).execute('read').on('video');
if (permission.granted) {
Video.find(req.params.title, function (err, data) {
if (err || !data) return res.status(404).end();
// filter data by permission attributes and send.
res.json(permission.filter(data));
});
} else {
// resource is forbidden for this user/role
res.status(403).end();
}
});
You can create/define roles simply by calling .grant(<role>) method on an AccessControl instance.
Roles can extend other roles.
// user role inherits viewer role permissions
ac.grant('user').extend('viewer');
// admin role inherits both user and editor role permissions
ac.grant('admin').extend(['user', 'editor']);
// both admin and superadmin roles inherit moderator permissions
ac.grant(['admin', 'superadmin']).extend('moderator');
ac.grant('editor').execute('publish').on('article');
let permission = ac.can('editor').execute('publish').on('article');
console(permission.attributes); // —> ['*'] (all attributes)
console(permission.granted); // -> true
ac.grant('sports/editor').execute('publish').when({Fn: 'EQUALS', args: {category: 'sports'}}).on('article');
permission = ac.can('sports/editor').execute('publish').with({category: 'sports'}).on('article');
console(permission.attributes); // —> ['*'] (all attributes)
console(permission.granted); // -> true
permission = ac.can('sports/editor').execute('publish').with({category: 'politics'})).on('article');
console(permission.attributes).toEqual([]);
console(permission.granted).toEqual(false);
ac.grant({
role: 'politics/editor',
action: 'publish',
resource: 'article',
condition: {Fn: 'EQUALS', args: {category: 'politics'}},
attributes: attrs
});
permission = ac.can('politics/editor').execute('publish').with({category: 'politics'}).on('article');
console(permission.attributes).toEqual(attrs);
console(permission.granted).toEqual(true);
Multiple roles can have access to a specific resource. But depending on the context, you may need to limit the contents of the resource for specific roles.
This is possible by resource attributes. You can use Glob notation to define allowed or denied attributes.
For example, we have a video resource that has the following attributes: id, title and runtime.
All attributes of any video resource can be read by an admin role:
ac.grant('admin').execute('read').on('video', ['*']);
// equivalent to:
// ac.grant('admin').execute('read').on('video');
But the id attribute should not be read by a user role.
ac.grant('user').execute('read').on('video', ['*', '!id']);
// equivalent to:
// ac.grant('user').execute('read').on('video', ['title', 'runtime']);
You can also use nested objects (attributes).
ac.grant('user').execute('read').on('account', ['*', '!record.id']);
You can call .can(<role>).<action>(<resource>) on an AccessControl instance to check for granted permissions for a specific resource and action.
const permission = ac.can('user').execute('read').on('account');
permission.granted; // true
permission.attributes; // ['*', '!record.id']
permission.filter(data); // filtered data (without record.id)
See express.js example.
You can pass the grants directly to the AccessControl constructor.
It accepts either an Object:
// This is actually how the grants are maintained internally.
let grantsObject = {
admin: {
video: {
'create': ['*'],
'read': ['*'],
'update': ['*'],
'delete': ['*']
}
},
user: {
video: {
'create:own': ['*'],
'read:own': ['*'],
'update:own': ['*'],
'delete:own': ['*']
}
},
"sports/editor": {
article: {
"create:any": [
{
attributes: ["*"],
condition: {
Fn: 'EQUALS',
args: {
'category': 'sports'
}
}
}
],
"update:any": [
{
attributes: ["*"],
condition: {
Fn: 'EQUALS',
args: {
'category': 'sports'
}
}
}
]
}
},
"sports/writer": {
article: {
"create:any": [
{
attributes: ["*", "!status"],
condition: {
Fn: 'EQUALS',
args: {
'category': 'sports'
}
}
}
],
"update:any": [
{
attributes: ["*", "!status"],
condition: {
Fn: 'EQUALS',
args: {
'category': 'sports'
}
}
}
]
}
}
};
const ac = new AccessControl(grantsObject);
... or an Array (useful when fetched from a database):
// grant list fetched from DB (to be converted to a valid grants object, internally)
let grantList = [
{ role: 'admin', resource: 'video', action: 'create', attributes: ['*'] },
{ role: 'admin', resource: 'video', action: 'read', attributes: ['*'] },
{ role: 'admin', resource: 'video', action: 'update', attributes: ['*'] },
{ role: 'admin', resource: 'video', action: 'delete', attributes: ['*'] },
{ role: 'user', resource: 'video', action: 'create:own', attributes: ['*'] },
{ role: 'user', resource: 'video', action: 'read', attributes: ['*'] },
{ role: 'user', resource: 'video', action: 'update:own', attributes: ['*'] },
{ role: 'user', resource: 'video', action: 'delete:own', attributes: ['*'] },
{ role: 'sports/editor', resource: 'article', action: 'create', attributes: ['*'],
condition: { "Fn": "EQUALS", "args": { "category": "sports" } }
},
{
role: 'sports/editor', resource: 'article', action: 'update', attributes: ['*'],
condition: { "Fn": "EQUALS", "args": { "category": "sports" } }
}
];
const ac = new AccessControl(grantList);
You can set/get grants any time:
const ac = new AccessControl();
ac.setGrants(grantsObject);
console.log(ac.getGrants());
const ac = new AccessControl();
const editorGrant = {
role: 'editor',
resource: 'post',
action: 'create', // action
attributes: ['*'] // grant only
};
ac.grant(editorGrant);
// first level of extension (extending with condition)
ac.extendRole('sports/editor', 'editor', {Fn: 'EQUALS', args: {category: 'sports'}});
ac.extendRole('politics/editor', 'editor', {Fn: 'EQUALS', args: {category: 'politics'}});
let permission = ac.can('sports/editor').context({category: 'sports'}).execute('create').on('post');
console.log(permission.granted); // —> true
console.log(permission.attributes); // —> ['*']
permission = ac.can('sports/editor').context({category: 'politics'}).execute('create').on('post');
console.log(permission.granted); // —> false
console.log(permission.attributes); // —> []
// second level of extension (extending without condition)
ac.extendRole('sports-and-politics/editor', ['sports/editor', 'politics/editor']);
permission = ac.can('sports-and-politics/editor').context({category: 'politics'}).execute('create').on('post');
console.log(permission.granted); // —> true
console.log(permission.attributes); // —> ['*']
// third level of extension (extending with condition)
ac.extendRole('conditonal/sports-and-politics/editor', 'sports-and-politics/editor', {
Fn: 'EQUALS',
args: { status: 'draft' }
});
permission = ac.can('conditonal/sports-and-politics/editor').context({category: 'politics', status: 'draft'}).execute('create').on('post');
console.log(permission.granted); // —> true
console.log(permission.attributes); // —> ['*']
permission = ac.can('conditonal/sports-and-politics/editor').context({category: 'politics', status: 'published'}).execute('create').on('post');
console.log(permission.granted); // —> false
console.log(permission.attributes); // —> []
MIT.
FAQs
Role, Attribute and Condition based Access Control for Node.js
The npm package role-acl receives a total of 2,801 weekly downloads. As such, role-acl popularity was classified as popular.
We found that role-acl demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket and Seal Security collaborate to fix a critical npm overrides bug, resolving a three-year security issue in the JavaScript ecosystem's most popular package manager.
Security News
TypeScript is porting its compiler to Go, delivering 10x faster builds, lower memory usage, and improved editor performance for a smoother developer experience.
Research
Security News
The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.