1.0.7 • Published 1 year ago

ts-rbac v1.0.7

Weekly downloads
-
License
MIT
Repository
github
Last release
1 year ago

ts-rbac

Use ts-rbac if you need role-based access control in your TypeScript application, independent from your internal architecture: It works with REST endpoints in NodeJS, function calls triggered by Kafka or any other framework.

Installation

npm install andiveloper/ts-rbac

Concept

ts-rbac assumes that a user belongs to different groups within an organization. For authorization roles and actions are used. The following relations apply:

  • A subject (person or service) can have many roles
  • A role can inherit from other roles
  • A role consists of many actions
  • Actions are architecture-independent and can for example be named after use cases (e.g. "UploadImage") or after endpoints in a REST API (e.g.: "PostImage")
  • Actions contain a scope which defines what entities can be accessed
  • You can either define your own scopes or use a set of default scopes: "self", "group", "org" and "all":
    • "self" means only entities created by the user himself can be accessed
    • "group" means only entities that are owned by a group to which the user belongs can be accessed
    • "org" means all entities of the organization can be accessed
    • "all" means all entities of all organizations can be accessed ("superadmin")
  • scopes have weights which determine the rank of the scope, e.g. the default scope "all" has the highest weight which means if access to a lower ranked scope is requested, e.g. "group" it is also granted
  • When accessing an endpoint/use case:
    • Your API authenticates the user, e.g. for example through a JWT token or a session cookie
    • Your API retrieves the roles of the user from the JWT token, a database, ...
    • ts-rbac is used to calculate the actions of all the roles and inherited roles the user owns and checks if a action exists for the specific action needed to perform the action
    • On data access the "scope" must be checked by your action/use case or database query, for example: 
    (action.scope.self AND entity.createdBy === user.id) 
OR (action.scope.group AND entity.ownerGroup in user.groups) 
OR (action.scope.org AND entity.ownerOrg === user.organization)

Usage

See samples/sample.ts and test/sample.test.ts

Future work

  • Add entity "attribute"-level actions:

    • Actions could contain a field called "attributes" which is an array of attributes of the entity that are allowed or denied to be accessed
    • For example: {"attributes": ["!id", "modifiedTime", "!comments", "metadata.location"]}, default is [*]
rbac
@infinitebrahmanuniverse/nolb-ts-r@everything-registry/sub-chunk-2978
1.0.7

1 year ago

1.0.6

1 year ago

1.0.2

3 years ago

1.0.1

3 years ago

1.0.5

3 years ago

1.0.4

3 years ago

1.0.3

3 years ago

1.0.0

3 years ago