{"id":30116415,"url":"https://github.com/authzed/multi-app-demo","last_synced_at":"2025-10-23T22:13:23.023Z","repository":{"id":300233845,"uuid":"989158309","full_name":"authzed/multi-app-demo","owner":"authzed","description":"A demo of a distributed centralized authorization system powered by SpiceDB across 3 apps: Email, Docs and Groups","archived":false,"fork":false,"pushed_at":"2025-07-30T14:41:30.000Z","size":221,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-30T14:54:17.867Z","etag":null,"topics":["authorization","distributed-systems","security","spicedb","zanzibar"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/authzed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-23T16:43:24.000Z","updated_at":"2025-07-28T09:32:19.000Z","dependencies_parsed_at":"2025-07-30T14:12:04.140Z","dependency_job_id":"4bd76794-c3dd-4f91-81fb-0696941978b3","html_url":"https://github.com/authzed/multi-app-demo","commit_stats":null,"previous_names":["authzed/multi-app-demo"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/authzed/multi-app-demo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fmulti-app-demo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fmulti-app-demo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fmulti-app-demo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fmulti-app-demo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/authzed","download_url":"https://codeload.github.com/authzed/multi-app-demo/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fmulti-app-demo/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269705688,"owners_count":24462173,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","distributed-systems","security","spicedb","zanzibar"],"created_at":"2025-08-10T09:37:20.534Z","updated_at":"2025-10-23T22:13:17.973Z","avatar_url":"https://github.com/authzed.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Distributed Authorization Demo\n\nA monorepo demonstrating a **distributed centralized authorization system** powered by [SpiceDB](https://spicedb.dev) with four services:\n\n- **Groups Service** (Go) - Google Groups analogue on port 3001\n- **Mail Service** (Node.js) - Gmail analogue on port 3002  \n- **Docs Service** (Java) - Google Docs analogue on port 3003\n- **Frontend** (React + Vite) - Shared UI on port 3000\n\n## Architecture Overview\n\nThis demo showcases how **SpiceDB** enables consistent, scalable authorization across multiple microservices:\n\n### SpiceDB Authorization Layer\n- **Centralized Permissions**: All authorization decisions are handled by SpiceDB (port 50051)\n- **Fine-grained Access Control**: Define complex relationships like \"users who are members of groups that own documents\"\n- **Consistent Policy**: Same authorization logic applies across Groups, Mail, and Docs services\n- **Real-time Evaluation**: Permission checks happen in real-time with low latency\n\n### Data Architecture\n- **PostgreSQL 17**: Shared database server with isolated databases per service\n  - `groups_db` - Groups service data\n  - `mail_db` - Mail service data  \n  - `docs_db` - Docs service data\n  - `spicedb` - SpiceDB authorization data\n- **Service Isolation**: Each service manages its own data while sharing authorization\n\n### Authorization Features Powered by SpiceDB\n- **Multi-service Permissions**: User permissions from Groups service affect Mail and Docs access\n- **Relationship-based Access**: \"Members of Engineering group can read internal documents\"\n- **Hierarchical Authorization**: Group owners have elevated permissions across services\n- **Audit Trail**: All permission checks are logged and traceable\n\n## Features\n\n- **SpiceDB Integration**: Each backend service uses Authzed SpiceDB client libraries\n- **Cross-service Authorization**: Permissions granted in one service affect access in others\n- **Modern UI**: Frontend uses wired-elements for consistent design\n- **Container Orchestration**: Full Docker Compose setup with service dependencies\n- **Database Per Service**: Isolated PostgreSQL databases with shared SpiceDB instance\n\n## Quick Start\n\n```bash\n# Build and run all services\ndocker-compose up --build\n\n# Access the application\nopen http://localhost:3000\n```\n\n## Individual Services\n\n### Groups Service (Go)\n```bash\ncd groups-service\ngo mod tidy\ngo run main.go\n```\n\n### Mail Service (Node.js)\n```bash\ncd mail-service\nnpm install\nnpm start\n```\n\n### Docs Service (Java)\n```bash\ncd docs-service\nmvn spring-boot:run\n```\n\n### Frontend (React)\n```bash\ncd frontend\nnpm install\nnpm run dev\n```\n\n## API Endpoints\n\n- **Groups**: `GET/POST http://localhost:3001/groups`\n- **Mail**: `GET/POST http://localhost:3002/emails`\n- **Docs**: `GET/POST http://localhost:3003/documents`\n- **SpiceDB**: `grpc://localhost:50051` (authorization service)\n- **SpiceDB Dashboard**: `http://localhost:8080` (admin interface)\n\n## SpiceDB Integration\n\nEach service connects to SpiceDB for authorization decisions:\n\n```bash\n# Example: Check if user can read a document\n# This query spans across Groups → Users → Documents relationships\nspicedb.CheckPermission({\n  resource: { objectType: \"document\", objectId: \"doc123\" },\n  permission: \"read\",\n  subject: { object: { objectType: \"user\", objectId: \"user456\" } }\n})\n```\n\n### Authorization Schema\nThe demo implements a comprehensive authorization schema in SpiceDB:\n- **Users** can be members of **Groups**\n- **Groups** can own **Documents** and **Mail** threads  \n- **Permission inheritance** flows from group membership to resource access\n- **Role-based access** with owners, managers, and members\n\nThis creates powerful authorization patterns like:\n- \"All Engineering group members can edit technical documents\"\n- \"Mail thread participants can view related group discussions\"\n- \"Document owners can share access with their group members\"","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fmulti-app-demo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauthzed%2Fmulti-app-demo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fmulti-app-demo/lists"}