You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Role-Based Access Control (RBAC) is a common requirement for modern applications, especially those with complex permissions and user roles. There are established libraries like CASL, but most RBAC solutions are tightly coupled to specific frameworks or web patterns.
For NexusDI, the goal is to provide a flexible, framework-agnostic RBAC module/plugin that can be used in any context—HTTP, GraphQL, gRPC, Signals, CLI, background jobs, etc.—and is easy to extend or integrate with other modules (like Auth).
Motivation
Decouple RBAC from transport: RBAC should work for any kind of service or method, not just HTTP routes or GraphQL resolvers.
Composable and extensible: Should support decorators, guards, and interceptors for fine-grained access control.
Integrate with existing libraries: Consider building on top of CASL or similar, but keep the integration optional and pluggable.
Support for both static and dynamic permissions: Allow for both role-based and attribute-based access control.
Expose APIs, not integrations: Let users wire up RBAC checks in their transport layer of choice (HTTP, GraphQL, gRPC, Signals, etc.).
Proposed Features
Decorators for attaching RBAC rules to providers, methods, or controllers
Guards/interceptors for enforcing permissions at runtime
Integration points for Auth module (e.g., use user roles/claims)
Support for both static roles and dynamic, attribute-based permissions
Optional integration with CASL or similar libraries
Expose APIs for permission checks, not direct integration with any transport layer
Open Questions
Should we build on top of CASL, or provide a minimal core with optional adapters?
What should the decorator/guard API look like?
How should RBAC rules be defined and registered?
How should this integrate with the Auth module?
Should we support both synchronous and asynchronous permission checks?
What are the best patterns for users to integrate RBAC checks into their chosen transport layer?
API Sketch
import{RBAC,Can,Roles}from'@nexusdi/rbac';
@RBAC()classUserService{
@Can('user:read')getUser(id: string){/* ... */}
@Roles('admin')deleteUser(id: string){/* ... */}}// In your transport layer (HTTP, GraphQL, gRPC, etc.)if(rbac.can(user,'user:read')){// allow}else{// deny}
Call for Feedback
What use cases do you have for RBAC in NexusDI?
What features or integrations would you like to see?
Any concerns or suggestions about keeping the module transport-agnostic?
Are there existing libraries or patterns you think we should learn from or integrate with?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Overview
Role-Based Access Control (RBAC) is a common requirement for modern applications, especially those with complex permissions and user roles. There are established libraries like CASL, but most RBAC solutions are tightly coupled to specific frameworks or web patterns.
For NexusDI, the goal is to provide a flexible, framework-agnostic RBAC module/plugin that can be used in any context—HTTP, GraphQL, gRPC, Signals, CLI, background jobs, etc.—and is easy to extend or integrate with other modules (like Auth).
Motivation
Proposed Features
Open Questions
API Sketch
Call for Feedback
Beta Was this translation helpful? Give feedback.
All reactions