Read CASL in Expressjs app for details.
CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access.
This is an example API which shows how integrate CASL in blog application. There are 3 entities:
- User
- Post
- Comment
Permission logic (i.e., abilities) are define in src/modules/auth/abilities.js. Rules can be specified for authenticated and anonymous users, so potentially it's quite easy to give access to anonymous users to write comments.
Application uses passport-jwt for authentication. The main logic is built on top of modules, all in src/modules.
Note: refactored to use CASL 4.0. See @casl/ability and @casl/mongoose for details. Warning: this code is just an example and doesn't follow best practices everywhere (e.g. it stores passwords without hashing).
git clone https://github.com/stalniy/casl-express-example.git
cd casl-express-example
npm install
npm start # `npm run dev` to run in dev modeAlso you need mongodb database up and running. Application will connect to mongodb://localhost:27017/blog. This repository contains database fixtures which you can load using mongorestore cli command. Navigate to the project root and run:
mongorestore db- Create new user
POST http://localhost:3000/api/users
{
"email": "[email protected]",
"password": "password"
}
- Create new session
POST http://localhost:3000/api/session
{
"email": "[email protected]",
"password": "123456"
}
201 Created
{ "token": "...." }
- Put access token in
Authorizationheader for all future requests
- /api/articles
- /api/articles/:id/comments
- /api/users
- /api/session
There are 3 users available:
- [email protected] / 123456
- [email protected] / 123456
- [email protected] / 123456