CASL. Permission management in express

Sergii Stotskyi
Jul 25, 2017 · 5 min read
Image for post
Image for post
CASL Expressjs API
  • CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access.
  • Express is a fast, unopinionated, minimalist web framework for Node.js.
Image for post
Image for post

Create blog application

I’ve prepared an example of blog application integrated with CASL on github. The app consists of 3 entities (User, Post and Comment) and 4 modules (one module per entity and one module for authentication and authorization logic). All modules can be found in src/modules folder. Application uses mongoose models, passport authentication and implements basic REST API interface which allows to:

  • create new Users for anybody
  • manage own Posts for logged in users
  • update and read personal information for logged in users
  • create, update, delete own Comments for logged in users
mongorestore ./db

CASL authorization

I merged authentication and authorization logic into one piece, so that I can define permissions for both logged in and anonymous users. In case if user doesn’t specify token in Authorization header, I use lazy generated BLANK_TOKEN and empty User instance.

PATCH http://localhost:3030/posts/597649a88679237e6f411ae6
{
"post": {
"title": "[UPDATED] my post title"
}
}
200 Ok
{
"post": {
"_id": "597649a88679237e6f411ae6",
"updatedAt": "2017-07-24T19:53:09.693Z",
"createdAt": "2017-07-24T19:25:28.766Z",
"title": "[UPDATED] my post title",
"text": "very long and interesting text",
"author": "597648b99d24c87e51aecec3",
"__v": 0
}
}
PATCH http://localhost:3030/posts/59761ba80203fb638e9bd85c
{
"post": {
"title": "[EVIL ACTION] my post title"
}
}
403 Ok
{
"status": "forbidden",
"message": "Cannot execute \"update\" on \"Post\""
}
GET http://localhost:3030/posts200 Ok
{
"posts": [
{
"_id": "597649a88679237e6f411ae6",
"updatedAt": "2017-07-24T19:53:09.693Z",
"createdAt": "2017-07-24T19:25:28.766Z",
"title": "[UPDATED] my post title",
"text": "very long and interesting text",
"author": "597648b99d24c87e51aecec3",
"__v": 0
}
]
}
Post.accessibleBy(req.ability, req.query.action)
GET http://localhost:3030/posts?action=update200 Ok
{
"posts": [
{
"_id": "597649a88679237e6f411ae6",
"updatedAt": "2017-07-24T19:53:09.693Z",
"createdAt": "2017-07-24T19:25:28.766Z",
"title": "[UPDATED] my post title",
"text": "very long and interesting text",
"author": "597648b99d24c87e51aecec3",
"__v": 0
}
]
}

Conclusion

I hope it was an interesting journey and now you like CASL as much as I do :). CASL has pretty good documentation, so I believe you will find a lot of useful information there but don’t hesitate to ask questions in gitter chat if there are any.

Image for post
Image for post

Looking for more?

Read documentation and other articles about CASL:

Image for post
Image for post

DailyJS

JavaScript news and opinion.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store