Node.js and ACL

Asked 9/1, 2013 at 12:35 Answered 6/3, 2020 at 21:14

I've chosen for my project Node.js+Express+Mongoose. Until now, I didn´t need to use ACL, but in this phase of project a I need to implement this.

NPM contains a few modules, but which one to choose?

Please tell me your experiences with ACL (Node.js+Express+Mongoose). And If you know any tutorial it would be great :), but it's not so needed, what I exactly need to know what Node.js programmers are using for ACL.

Last possibility is write own acl-middleware, it could be interesting experience for me. I suppose :)

Conservator answered 9/1, 2013 at 12:35 Comment(1)

You can also try Casbin: github.com/casbin/node-casbin. It supports multiple access control models including ACL, RBAC, ABAC, etc. I think it is more powerful and flexible than the current acl module. – Waldemar 21/8, 2018 at 0:55

https://npmjs.org/package/acl

The most used ACL module. It has Express middleware for protect resources and mongo support too..

Update 9.2020:

the acl package has not been updated in 2 years
there is a fork with recent changes: https://github.com/flash-oss/node_acl

Himyaritic answered 9/1, 2013 at 17:54 Comment(10)

Has anyone tested this for performance? I wonder how efficiently it is written. – Bela 20/5, 2014 at 20:21

To answer my own comment: Asserts are lightning fast! But when asking for all permissions a user has on a resource, this took about about 12 seconds on a modest-sized dataset (hundreds of users and thousands of resources). I tried Neo4j and it returns in ~100 milliseconds on a dataset 10x bigger for the same operation. – Bela 24/6, 2014 at 19:30

@EricOlson is referring to npmjs.com/package/graph-acl, for those coming here from Google. – Mahalia 12/12, 2014 at 12:15

Actually, @GajusKuizinas, I used my own implementation of an acl on Neo4j. I was not even aware that a package using graphs already existed. NPM has everything...I should have known :) – Bela 13/12, 2014 at 8:30

I have ended up building my own implementation using MySQL too. Surprisingly, there isn't a package for that in NPM. – Mahalia 13/12, 2014 at 10:14

Hi @EricOlson: I currently protect my API with JWT and passport using a Bearer strategy. I would like to extend the layer of access to resources with an ACL. Would you recommend your approach (graphs and acl)? – Zany 14/12, 2014 at 15:8

@Interactionist, I did extensive testing with ACL implementations over MySQL using MPTT (Modified Preorder Tree Traversal), MongoDB, JCR's native ACL library, and others. No implementation came close to performance when compared to graph dbs. I ended up going with Titan in the end for scalability. Throughput for Neo4j and Titan were about 3000 ACL assertions/sec. JCR for example was about 400/sec. MySQL with MPTT was ~1800/sec, but the query was crazy-huge and complex. Good luck! – Bela 14/12, 2014 at 23:9

@EricOlson Thanks for the extensive description. I am still interested if your approach is something that could/should go in parallel to a normal passport jwt auth/express middleware for API routing. Really keen to get your thoughts on that. Thanks. – Zany 15/12, 2014 at 11:41

@Interactionist To give you an idea of my approach, see this SO question I asked in the beginning of my graph-learning. This is a basic model example. Assertions become a DAG graph problem. I have user-hierchy trees and resource trees. They are connected with permission edges. You can see there that Linda can read the eVar33 resource (thanks to her membership in the Media Mgmt group) because there is a path from Linda to eVar33 where a permission-edge contains read:true. I think graphs are a natural approach for ACLs. – Bela 15/12, 2014 at 16:26

@EricOlson Cheers man. Great example btw. "I think graphs are a natural approach for ACLs.": Yes, that is why I am so keen to get a qualified answer if this graphs-ACL can accompany my API approach of routing/auth handling with express/passport/jwt. This part is really vital before I dig deeper into graphs. And I appreciate your answer to this. – Zany 15/12, 2014 at 19:51

acl package has not been updated for the last 2 years. I’m the author of CASL - isomorphic permission management for JavaScript - https://github.com/stalniy/casl

According to npm trends it’s the mostly used library nowadays - https://www.npmtrends.com/acl-vs-@casl/ability

By the way it makes an integration with MongoDB and mongoose really easy!

Kelliekellina answered 6/3, 2020 at 21:14 Comment(2)

Also I'm currently working on support for SQL databases. Keep tuned! – Kelliekellina 13/9, 2020 at 8:41

would you kindly tell the difference except supporting for acl and casl – Peasant 23/11, 2021 at 7:20

Recommended topics

Hot tags