https://github.com/andiveloper/ts-rbac
Use ts-rbac if you need role-based access control in your TypeScript application, independent from your architecture.
https://github.com/andiveloper/ts-rbac
jwt security ts typescript
Last synced: about 1 year ago
JSON representation
Use ts-rbac if you need role-based access control in your TypeScript application, independent from your architecture.
- Host: GitHub
- URL: https://github.com/andiveloper/ts-rbac
- Owner: andiveloper
- License: mit
- Created: 2021-03-31T07:05:52.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2023-01-13T07:34:18.000Z (over 3 years ago)
- Last Synced: 2025-04-22T10:52:14.754Z (about 1 year ago)
- Topics: jwt, security, ts, typescript
- Language: TypeScript
- Homepage:
- Size: 199 KB
- Stars: 5
- Watchers: 1
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ts-rbac
Use `ts-rbac` if you need role-based access control in your TypeScript application, independent from your internal architecture: It works with REST endpoints in NodeJS, function calls triggered by Kafka or any other framework.
# Installation
```
npm install andiveloper/ts-rbac
```
# Concept
`ts-rbac` assumes that a user belongs to different groups within an organization.
For authorization `roles` and `actions` are used. The following relations apply:
- A `subject` (person or service) can have many `roles`
- A `role` can inherit from other roles
- A `role` consists of many `actions`
- `Actions` are architecture-independent and can for example be named after use cases (e.g. "UploadImage") or after endpoints in a REST API (e.g.: "PostImage")
- `Actions` contain a `scope` which defines what entities can be accessed
- You can either define your own `scopes` or use a set of default `scopes`: "self", "group", "org" and "all":
- "self" means only entities created by the user himself can be accessed
- "group" means only entities that are owned by a group to which the user belongs can be accessed
- "org" means all entities of the organization can be accessed
- "all" means all entities of all organizations can be accessed ("superadmin")
- `scopes` have weights which determine the rank of the `scope`, e.g. the default scope "all" has the highest weight which means if access to a lower ranked scope is requested, e.g. "group" it is also granted
- When accessing an endpoint/use case:
- Your API authenticates the user, e.g. for example through a JWT token or a session cookie
- Your API retrieves the roles of the user from the JWT token, a database, ...
- `ts-rbac` is used to calculate the actions of all the roles and inherited roles the user owns and checks if a action exists for the specific action needed to perform the action
- On data access the "scope" must be checked by your action/use case or database query, for example:
```
(action.scope.self AND entity.createdBy === user.id)
OR (action.scope.group AND entity.ownerGroup in user.groups)
OR (action.scope.org AND entity.ownerOrg === user.organization)
```
# Usage
See `test/samples/sample.ts` and `test/samples/sample.test.ts`
# Future work
- Add entity "attribute"-level actions:
- Actions could contain a field called "attributes" which is an array of attributes of the entity that are allowed or denied to be accessed
- For example: `{"attributes": ["!id", "modifiedTime", "!comments", "metadata.location"]}`, default is `[*]`