Enhancing Authorization Frameworks: Seeking Input on Open-Source Solution Development

Introduction

In the evolving landscape of application development, robust and flexible authorization mechanisms are crucial for safeguarding resources and ensuring seamless user experiences. Recognizing this necessity, a developer has embarked on creating an open-source authorization library aimed at simplifying rule declaration, sharing policies across projects, and improving developer experience. This article delves into the core concepts behind this initiative, explores proposed implementation strategies, and invites community feedback for refining the framework.

The Vision for an Open-Source Authorization Library

The primary motivation behind this project is to develop a modular, reusable, and user-friendly authorization framework that addresses common challenges faced during implementation. Key objectives include:

• Declarative Rule Definition: Simplify the process of defining access policies directly within application code.
• Reusability Across Projects: Enable rules to be declared once and seamlessly imported into diverse projects or modules.
• Drift Detection: Incorporate mechanisms to monitor and identify deviations from established policies, ensuring consistency.
• Enhanced Developer Experience (DevX): Strive for an intuitive and minimalistic interface that encourages adoption and ease of use.

Proposed Syntax and Usage Patterns

To achieve these goals, the developer is exploring the use of annotations (decorators) as the primary method for declaring rules, leveraging their ability to attach metadata to functions and classes. Early examples illustrate this approach:

typescript
@can('delete:deviceByUser', {
when: (user, { device }) => device?.organizationId === user.organizationId,
resolveUser: () => UserManager.getCurrentUser(),
})
async deleteDeviceByUser(device, user: User): Promise<string> {
return `Deleted device ${device.id}`;
}

Another variant demonstrates contextual object resolution:

typescript
@can('delete:deviceY', {
objects: {
user: async (args, instance) => {
return await instance.userService.findById(args[0]);
}
},
when: (user, { device }) => device?.owner === user.id,
})
async deleteDeviceY(deviceId: string): Promise<string> {
return `Deleted device ${deviceId}`;
}

In scenarios where decorators are unsuitable or unavailable, helper functions provide alternative approaches:

“`typescript
const permitted = await canUser(
‘read:device’,
regularUser,
{
args: [{ name: ‘Test Device’, organizationId: ‘org2’