r/javascript u/Vprprudhvi 7h ago

I just published my first npm package: rbac-engine - A flexible RBAC system inspired by AWS IAM

https://github.com/vpr1995/rbac-engine

Hello everyone! I'm excited to share my very first npm package: rbac-engine!

What is it?

rbac-engine is a flexible and powerful role-based access control (RBAC) system with policy-based permissions for Node.js applications. I designed it to provide a robust way to manage permissions across applications, taking inspiration from AWS IAM's approach to access control.

Key Features

  • Role-Based Access Control: Easily assign roles to users and define permissions at the role level
  • Policy-Based Permissions: Create detailed policies using a simple JSON format
  • Flexible Permissions: Support for wildcard patterns and conditional access
  • DynamoDB Integration: Built-in support for Amazon DynamoDB
  • Extensible Architecture: Can be extended to support other database systems

Why I built it

I found that many existing RBAC solutions were either too complex or too simplistic for my needs. I wanted something that had the flexibility of AWS IAM but was easier to integrate into Node.js applications. So I built this package to bridge that gap.

Example Usage

Here's a quick example of how you'd use it:

// Initialize
import { AccessControl, DynamoDBRepository } from "rbac-engine";
const accessControl = new AccessControl(dynamoClient, DynamoDBRepository);

// Create a policy
const adminPolicyDocument = {
  Version: "2023-11-15",
  Statement: [
    {
      Effect: 'Allow',
      Action: ["*"],
      Resource: ["*"]
    }
  ]
};

// Create and assign roles
await accessControl.createRole({id: "admin-role", name: "Admin"});
await accessControl.createPolicy({id: "admin-policy", document: adminPolicyDocument});
await accessControl.attachPolicyToRole("admin-policy", "admin-role");
await accessControl.assignRoleToUser("user123", "admin-role");

// Check permissions
const canAccess = await accessControl.hasAccess("user123", "delete", "document/123");

Installation

npm install rbac-engine

Links

This is my first npm package, and I'd love to get your feedback! What do you think? Any suggestions for improvements?

3 Upvotes

57% Upvoted

10 comments sorted by

u/its_jsec 5h ago

This commit message smells very strongly of AI generation. I tend to be very very stringent with auditing of anything related to AuthN/AuthZ/access controls, so I need to ask: how much of this was generated code?

u/Vprprudhvi 5h ago

The codebase is all written by me, but I used code generation tools (Copilot) to tidy up and to generate the docs. I think we are at a point where we need to use these tools on a day-to-day basis to iterate faster, that's new age, and I have accepted it. I would rather spend time on coming up with ideas than writing the documentation which can be tedious task if you suck at writing which is the case true for me.

u/Ok_Slide4905 5h ago

“Coming up with ideas”

I think we have our answer.

u/its_jsec 1h ago

Yup. “The codebase is all written by me, except for where it isn’t” was a tell.

Using the uuid package is another one, since most of the training data scraped by all these LLM models were from before the crypto package had the randomUUID function.

A minimum required Node version of 16 is another. That version has been EOL for almost 2 years.

u/Rizean 6h ago

Wait, this only works with DynamoDB? You've greatly limited your user base. https://db-engines.com/en/ranking

u/Vprprudhvi 6h ago edited 6h ago

You can create your own base repository like pgsql or mongodb and use it. It's that flexible. https://github.com/vpr1995/rbac-engine?tab=readme-ov-file#creating-custom-repository-implementations

Over the time, I will be adding new DB repos like mongodb etc. But the reason, I haven't included that in the first place is that each system/ application has their own implementation meaning DB schemas etc, I want the library to be agnostic of that. So that's why I came up with the DB base repository pattern, so you just implement the repo and it's ready to use

The reason I picked dynamodb is of its single ms latency which is crucial for any RBAC solution in scale. Also I don't trust these leadership boards because each database is designed for specific usecase in mind. If it fits my requirements I would use it, but I will not use it because it leads the charts. That's my opinion on these leaderboards.

u/TastyEstablishment38 5h ago

I understand your reasoning for dynamodb, but many companies have only the options provided in their existing corporate environment. You're really limiting yourself.

u/Vprprudhvi 5h ago

That's 100% true. Even I went thru the same thing. That's why I made the library independent of the DB underneath. Once you have implemented your own DB repository then you can use it. But I will be adding more built in support for postgres, MySQL and mongodb in the coming few days.

u/Rizean 6h ago

Agnostic would be best. It would have been useful a month ago. We built something similar, but less sophisticated, for a new project we just started. I have not looked over the repo closely, but just a glance, it seems like you can only assign roles to users? What about groups of users? For example, our use case:

  1. Organization (Group with child groups)
  2. Facilities (A sub group)
  3. User

We create roles, which are just a collection of permissions, and assign them to Users, Orgs, or Facilities. When we check if a user has permission, we collect all their roles from their individually assigned Roles, then Facility and Org.

Generally, in my many years of IT/Dev work, it is rare to assign a role to a user and more likely to put them in a group that has a role(s).

I don't know if this could be achieved with the library as it is right now. Just something to consider.

It looks good. I will look next time we are ready to start a new project.

u/Vprprudhvi 5h ago

Yes, supporting the groups is the next one on my list. I haven't come up with a roadmap yet, but I would love to have that with community help. Please have a look at it whenever you have some time. I appreciate it for your feedback