@knodes/nest-casl

 + 

A simple decorator-based way to check CASL abilities on NestJS controllers.

Description

Use decorators everywhere to protect your controller methods.

• :book: Read the docs
• :rocket: Get started

Installation

npm install --save @knodes/nest-casl

Additionally, please make sure you have correct peer dependencies installed:

• @casl/ability: ^5.0.0
• @nestjs/common: ^8.0.0
• @nestjs/core: ^8.0.0
• lodash: ^4.17.0
• reflect-metadata: ^0.1.13
• rxjs: ^7.0.0

npm install @casl/ability@^5.0.0 @nestjs/common@^8.0.0 @nestjs/core@^8.0.0 lodash@^4.17.0 reflect-metadata@^0.1.13 rxjs@^7.0.0

In a nutshell

Declare a new service that converts the user of your request to a CASL ability:

import { Injectable } from '@nestjs/common';
import { AbilityBuilder, PureAbility } from '@casl/ability';
import { CaslAbilityFactory } from '@knodes/nest-casl';

@Injectable()
export class AbilityFactory implements CaslAbilityFactory {
    // Here, `request` is the express or fastify request. You might get infos from it.
    public createFromRequest( _request: unknown ): PureAbility {
        const abilityBuilder = new AbilityBuilder( PureAbility );
        abilityBuilder.can( 'feed', 'cat' );
        abilityBuilder.can( 'hug', 'cat' );
        abilityBuilder.can( 'pet', 'cat' );
        abilityBuilder.cannot( 'rename', 'cat' );
        return abilityBuilder.build();
    }
}

Import the module:

import { Module } from '@nestjs/common';
import { CaslModule } from '@knodes/nest-casl';

@Module( {
    imports: [
        CaslModule.withConfig( ( { abilityFactory: AbilityFactory } ) ),
        // ....
    ],
} )
export class AppModule {}

Use decorators in your controller:

import { AbilityBuilder, PureAbility } from '@casl/ability';
import { Controller, Get } from '@nestjs/common';
import { InjectAbility, PoliciesMask, Policy } from '@knodes/nest-casl';

@Controller( '/cat/care' )
@PoliciesMask({
    'pet': { action: 'pet', subject: 'cat' }
})
export class CatCareController {
    // Okay, you can feed.
    @Get( 'feed' )
    @Policy( { action: 'feed', subject: 'cat' } )
    public feed(){
        // ...
    }

    // Well, I guess he won't bite.
    @Get( 'hug' )
    @Policy( { action: 'hug', subject: 'cat' } )
    public hug(){
        // ...
    }

    @Get( 'pet' )
    public pet( @InjectAbility() ability: PureAbility ){
        // ...
    }
}

For more details and usage with guards, please refer to the guide.

License

@knodes/nest-casl is MIT licensed.