-
Notifications
You must be signed in to change notification settings - Fork 166
Expand file tree
/
Copy pathauth-abac.ts
More file actions
120 lines (108 loc) · 2.69 KB
/
auth-abac.ts
File metadata and controls
120 lines (108 loc) · 2.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
type Comment = {
id: string
body: string
authorId: string
createdAt: Date
}
type Todo = {
id: string
title: string
userId: string
completed: boolean
invitedUsers: string[]
}
type Role = "admin" | "moderator" | "user"
type User = { blockedBy: string[]; roles: Role[]; id: string }
type PermissionCheck<Key extends keyof Permissions> =
| boolean
| ((user: User, data: Permissions[Key]["dataType"]) => boolean)
type RolesWithPermissions = {
[R in Role]: Partial<{
[Key in keyof Permissions]: Partial<{
[Action in Permissions[Key]["action"]]: PermissionCheck<Key>
}>
}>
}
type Permissions = {
comments: {
dataType: Comment
action: "view" | "create" | "update"
}
todos: {
// Can do something like Pick<Todo, "userId"> to get just the rows you use
dataType: Todo
action: "view" | "create" | "update" | "delete"
}
}
const ROLES = {
admin: {
comments: {
view: true,
create: true,
update: true,
},
todos: {
view: true,
create: true,
update: true,
delete: true,
},
},
moderator: {
comments: {
view: true,
create: true,
update: true,
},
todos: {
view: true,
create: true,
update: true,
delete: (user, todo) => todo.completed,
},
},
user: {
comments: {
view: (user, comment) => !user.blockedBy.includes(comment.authorId),
create: true,
update: (user, comment) => comment.authorId === user.id,
},
todos: {
view: (user, todo) => !user.blockedBy.includes(todo.userId),
create: true,
update: (user, todo) =>
todo.userId === user.id || todo.invitedUsers.includes(user.id),
delete: (user, todo) =>
(todo.userId === user.id || todo.invitedUsers.includes(user.id)) &&
todo.completed,
},
},
} as const satisfies RolesWithPermissions
export function hasPermission<Resource extends keyof Permissions>(
user: User,
resource: Resource,
action: Permissions[Resource]["action"],
data?: Permissions[Resource]["dataType"]
) {
return user.roles.some(role => {
const permission = (ROLES as RolesWithPermissions)[role][resource]?.[action]
if (permission == null) return false
if (typeof permission === "boolean") return permission
return data != null && permission(user, data)
})
}
// USAGE:
const user: User = { blockedBy: ["2"], id: "1", roles: ["user"] }
const todo: Todo = {
completed: false,
id: "3",
invitedUsers: [],
title: "Test Todo",
userId: "1",
}
// Can create a comment
hasPermission(user, "comments", "create")
// Can view the `todo` Todo
hasPermission(user, "todos", "view", todo)
// Can view all todos
hasPermission(user, "todos", "view")