Node-Casbin

^{Sponsored by}
<picture> <source media="(prefers-color-scheme: dark)" srcset="https://cdn.casbin.org/img/stytch-white.png"> <source media="(prefers-color-scheme: light)" srcset="https://cdn.casbin.org/img/stytch-charcoal.png"> </picture>
Build auth with fraud prevention, faster.
Try Stytch for API-first authentication, user & org management, multi-tenant SSO, MFA, device fingerprinting, and more.

💖 Looking for an open-source identity and access management solution like Okta, Auth0, Keycloak ? Learn more about: Casdoor

News: still worry about how to write the correct node-casbin policy? Casbin online editor is coming to help!

node-casbin is a powerful and efficient open-source access control library for Node.JS projects. It provides support for enforcing authorization based on various access control models.

All the languages supported by Casbin:

Casbin	jCasbin	node-Casbin	PHP-Casbin
production-ready	production-ready	production-ready	production-ready

PyCasbin	Casbin.NET	Casbin-CPP	Casbin-RS
production-ready	production-ready	beta-test	production-ready

Documentation

https://casbin.org/docs/overview

Installation

```shell script

NPM

npm install casbin --save

Yarn

yarn add casbin

## Get started

New a `node-casbin` enforcer with a model file and a policy file, see [Model](#official-model) section for details:

```node.js
// For Node.js:
const { newEnforcer } = require('casbin');
// For browser:
// import { newEnforcer } from 'casbin';

const enforcer = await newEnforcer('basic_model.conf', 'basic_policy.csv');

Note: you can also initialize an enforcer with policy in DB instead of file, see Persistence section for details.

Add an enforcement hook into your code right before the access happens:

const sub = 'alice'; // the user that wants to access a resource.
const obj = 'data1'; // the resource that is going to be accessed.
const act = 'read'; // the operation that the user performs on the resource.

// Async:
const res = await enforcer.enforce(sub, obj, act);
// Sync:
// const res = enforcer.enforceSync(sub, obj, act);

if (res) {
  // permit alice to read data1
} else {
  // deny the request, show an error
}

Besides the static policy file, node-casbin also provides API for permission management at run-time. For example, You can get all the roles assigned to a user as below:

const roles = await enforcer.getRolesForUser('alice');

See Policy management APIs for more usage.

Policy management

Casbin provides two sets of APIs to manage permissions:

• Management API: the primitive API that provides full support for Casbin policy management.
• RBAC API: a more friendly API for RBAC. This API is a subset of Management API. The RBAC users could use this API to simplify the code.

Official Model

https://casbin.org/docs/supported-models

Policy persistence

https://casbin.org/docs/adapters

Policy consistence between multiple nodes

https://casbin.org/docs/watchers

Role manager

https://casbin.org/docs/role-managers

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers! 🙏 [Become a backer]

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

License

This project is licensed under the Apache 2.0 license.

Contact

If you have any issues or feature requests, please contact us. PR is welcomed.

• https://github.com/casbin/node-casbin/issues
• hsluoyz@gmail.com
• Tencent QQ group: 546057381

5.38.0 (2025-01-23)

Features

• implement enableAcceptJsonRequest API (#497) (650db88)

5.37.0 (2025-01-10)

Features

• use empty array [] as reason for enforceEx() (#496) (c951a8f)

5.36.0 (2024-11-22)

Features

• add BracketAwareCsvParser to parse CSV file better (#494) (4c73883)

5.35.0 (2024-11-20)

Features

• update to @casbin/expression-eval 5.3.0 to fix short-circuit bug (#495) (094bef7)

5.34.0 (2024-11-04)

Features

• switch dependency to our own package: @casbin/expression-eval 5.2.0 (#489) (acf39c2)

5.32.0 (2024-10-20)

Features

• use import { Buffer } from 'buffer/' to be compatible with Bun (#486) (738b2b6)

5.31.0 (2024-09-28)

Features

• prevent duplicated sections and invalid operators in config and model (#484) (79e0f1c)

5.30.0 (2024-04-26)

Features

• ensure eft and priority are respected in p2, r2, etc (#475) (8ef3deb), closes #474

5.29.0 (2024-04-10)

Features

• update CI Node.js version to 18 and 20 (4aa74ab)

5.28.0 (2023-11-21)

Features

• fix WatcherEx not triggered issue (61c1595)

5.27.1 (2023-09-19)

Bug Fixes

• KeyMatch5 does not match the expected result (#458) (0df458d)

5.27.0 (2023-08-30)

Features

• add enforceWithMatcher & enforceExWithMatcher (#453) (a85192f)

5.26.2 (2023-07-29)

Bug Fixes

• add escapeCsv() for CSV file saving (17c542a)

5.26.1 (2023-03-29)

Bug Fixes

• escapeAssertion is compatible with safari (#444) (d13a3b9)

5.26.0 (2023-03-26)

Features

• Multiple sections type (#442) (48b0d8f)

5.25.0 (2023-03-20)

Features

• replace picomatch with minimatch (#440) (4e977b3)

5.24.4 (2023-03-12)

Bug Fixes

• ./src/util/util.ts: fixed unwanted replacement of .r in evals according to issue #438 (#439) (39878be)

5.24.3 (2023-02-27)

Bug Fixes

• built-in buffer and upgrade csv-parse (#436) (0f40bee)

5.24.2 (2023-02-24)

Bug Fixes

• using import() to load the fs (#435) (e90a8bf)

5.24.1 (2023-02-17)

Bug Fixes

• remove lodash usage and types (#432) (9c227d5)

5.24.0 (2023-02-17)

Features

• add built-in FileSystem (#430) (999c34c)

5.23.2 (2023-02-04)

Bug Fixes

• fix typo in subject_priority_policy.csv (#425) (ada2543)

5.23.1 (2023-02-02)

Bug Fixes

• avoid the impact of line breaks CRLF in frontend.test.ts (#420) (7c32e23)

5.23.0 (2023-02-01)

Features

• support updateGroupingPolicy(), updateNamedGroupingPolicy(), getImplicitResourcesForUser() (#419) (46c0f3a)

5.22.0 (2023-01-31)

Features

• support subjectPriority (#417) (e83d505)

5.21.0 (2023-01-21)

Features

• support setNamedRoleManager() (#416) (869e8f9)

5.20.4 (2023-01-20)

Bug Fixes

• add groupPolicy for GetPermissionForUser in frontend.ts (#415) (5d1a679)

5.20.3 (2023-01-10)

Bug Fixes

• Multiline Separator Handling (#411) (ab3467a)

5.20.2 (2023-01-08)

Bug Fixes

• Upgraded CI Nodejs version to v14.16.18. (#410) (9aadcd7)

5.20.1 (2022-12-31)

Bug Fixes

• delete unused files in examples (#407) (323a750)

5.20.0 (2022-12-29)

Features

• defaultrolemanager.ts: add hierarchical domain support for rbac (#380) (da980af), closes #377

5.19.3 (2022-12-02)

Bug Fixes

• update express-eval dependency to v5 (#400) (02a9496)

5.19.2 (2022-11-12)

Bug Fixes

• Revert "fix: escape assertion bug (#394)" (#398) (6127584)

5.19.1 (2022-10-04)

Bug Fixes

• escape assertion bug (#394) (5a339d8)

5.19.0 (2022-09-24)

Features

• add fieldIndexMap (#391) (8f6e2c3)

5.18.0 (2022-09-14)

Features

• add management api for watcherEx callbacks (#384) (591233f)

5.17.0 (2022-08-18)

Features

• add WatcherEx (#381) (10d7086)

5.16.0 (2022-08-11)

Features

• add support for g() in SyncedEnforcer (#378) (a74067a)

5.15.2 (2022-06-22)

Bug Fixes

• enable esModuleInterop support (#366) (20db339)

5.15.1 (2022-04-27)

Bug Fixes

• EnforceEx return allow reason (#363) (6353283)

5.15.0 (2022-04-15)

Features

• #357 Support keyMatch5 (#359) (e6a6d8a)

5.14.0 (2022-03-18)

Features

• rbac: add getUsersForRoleInDomain & getRolesForUserInDomain (#351) (4896ca2), closes #304

5.13.2 (2022-03-02)

Bug Fixes

• matcher result should be boolean or number for KeyGet2 (#347) (0257078)

5.13.1 (2022-02-22)

Bug Fixes

• 'eval' not detected (86e2add)
• created two regex expressions (de5f2f4)

5.13.0 (2022-01-25)

Features

• getImplicitUsersForRole (#341) (ebfaede)

5.12.0 (2022-01-16)

Features

• batchenforce: added batchEnforce (#338) (56e55bd), closes #321

5.11.5 (2021-08-18)

Bug Fixes

• fix error overloading for role manager (#319) (e69450b)

5.11.4 (2021-08-17)

Bug Fixes

• replaceeval: add third param to replaceEval and only replace eval() w/ matching ruleName (#316) (bd4f5bf), closes #315 #315

5.11.3 (2021-08-13)

Bug Fixes

• add support for legacy array definition method (#313) (635eece)

5.11.2 (2021-08-13)

Bug Fixes

• add full supoort for in operator (#310) (446f8c7)

5.11.1 (2021-07-29)

Bug Fixes

• fix in opertor (17f3588)

5.11.0 (2021-07-23)

Features

• add keyGet and keyGet2 (#302) (36e83cf)

5.10.0 (2021-07-19)

Features

• use new license format (284d2a4)

5.9.0 (2021-06-18)

Features

• Add lazyload option at enforcer init method (#289) (e858dcb)

5.8.0 (2021-06-14)

Features

• add support for in operator (a44c6a9)

5.7.2 (2021-06-12)

Bug Fixes

• Support for loadIncrementalFilteredPolicy (72c2001)

5.7.1 (2021-05-19)

Bug Fixes

• getImplicitPermissionsForUser works with rmMap (#272) (0d59239)

5.7.0 (2021-05-14)

Features

• add enforceEx() (#271) (762efd9)

5.6.3 (2021-05-07)

Bug Fixes

• fix buildRoleLinks to isolate groups (0fb6ae7)

5.6.2 (2021-05-02)

Bug Fixes

• transfer from micromatch to picomatch (#264) (6be1b06)

5.6.1 (2021-04-05)

Bug Fixes

• fix CasbinJsGetPermissionForUser() (#251) (98c11f1)

5.6.0 (2021-03-23)

Features

• add priority_policy_explicit support (#250) (763c18e)

5.5.0 (2021-03-19)

Bug Fixes

• add missing await (523ce85)
• fix errror type (dc9e5b5)
• remove unused import (2f8801c)

Features

• add initRmMap (87f8011)
• add named addMatchingFunc (65d3a26)
• add sync mode (70e4e12)
• add unittest (3cd5b73)

5.4.2 (2021-03-04)

Bug Fixes

• improve load policy line (9f12511)

5.4.1 (2021-02-19)

Bug Fixes

• fix unexpected parser action (3074fa9)

5.4.0 (2021-02-06)

Features

• add updatePolicy() (#234) (a3218f1), closes #235

5.3.1 (2021-01-29)

Bug Fixes

• downgrade expression-eval back to v2.0.0 to avoid semantic-release failure, revert: https://github.com/casbin/node-casbin/pull/222 (8c0b1fd)

5.3.0 (2021-01-28)

Bug Fixes

• downgrade target from ESNext to ES2017 for building esm (7dfcf93)
• update expression-eval (95de296)

Features

• enforceSync (ff41f0a)

5.2.3 (2021-01-08)

Bug Fixes

• downgrade target from ESNext to ES2017 for building esm (7dfcf93)
• update expression-eval (95de296)

5.2.3 (2021-01-08)

Bug Fixes

• downgrade target from ESNext to ES2017 for building esm (7dfcf93)

5.2.3 (2020-12-19)

Bug Fixes

• downgrade target from ESNext to ES2017 for building esm (7dfcf93)

5.2.2 (2020-11-29)

Bug Fixes

• builtinoperators: fix function keyMatch3 (1245aa0), closes #214

5.2.1 (2020-11-15)

Bug Fixes

• rbac: fix defaultRoleManager hasRole method (#211) (4f3ba65)

5.2.0 (2020-10-26)

Features

• changing TypeScript target from ES6 to ES2017 (6f4f50f)

5.1.6 (2020-10-07)

Bug Fixes

• support pattern function in 3rd args of g (#199) (27005f8)

5.1.5 (2020-09-14)

Bug Fixes

• ignore print model (f426131)

5.1.4 (2020-09-10)

Bug Fixes

• add cache to generateGFunction (e90bed2)

5.1.3 (2020-08-30)

Bug Fixes

• update casbinJsGetPermissionForUser for v0.1.0 Casbin.js (#186) (6c277e8)

5.1.2 (2020-08-12)

Bug Fixes

• add checks fieldValues to remove filtered policy (6e144fb)

5.1.1 (2020-08-12)

Bug Fixes

• add check if the adapter implements BatchAdapter (a415838)

5.1.0 (2020-08-11)

Features

• add casbinJsGetPermissionForUser (30ae126)

5.0.6 (2020-07-16)

Bug Fixes

• add casbin-cpp to supported languages. (b856734)

5.0.5 (2020-07-08)

Bug Fixes

• improve tokens separator (687e96f)

5.0.4 (2020-06-08)

Bug Fixes

• remove lodash (293a852)

5.0.3 (2020-05-27)

Bug Fixes

• check adapter type (a74314d)

5.0.2 (2020-05-25)

Bug Fixes

• Add imports and batchFileAdapter implementation. (3804c3d)
• Add tests for batch operations. (e6ad7af)
• Merge conflicts. (7179b17)

5.0.1 (2020-05-22)

Bug Fixes

• support comments after expression (c97cb26)

5.0.0 (2020-05-18)

Features

• add BuildIncrementalRoleLinks (b565005)
• improve effector for improve performance (57de7b2)

BREAKING CHANGES

• model addPolicies, removePolicies and removeFilteredPolicy returns [boolean, string[][]]
• • provides a new interface for Effector

4.7.2 (2020-05-09)

Bug Fixes

• stackoverflow in getImplicitRolesForUser (d0fc49f)

4.7.1 (2020-05-08)

Bug Fixes

• Add examples. (5cf950a)
• Added ABAC policy logic to the private enforcer. (c6fc487)
• Added util functions and util tests. (72918bc)
• compatible types (58242a5)
• tests. (4da5291)

4.7.0 (2020-05-03)

Features

• add getImplicitUsersForPermission (ad9df14)

4.6.0 (2020-05-02)

4.5.0 (2020-04-30)

Features

• avoid miss initialize() (1394e8d)

4.4.0 (2020-04-25)

Features

• add addMatchingFunc to DefaultRoleManager (cc04e65)

4.3.1 (2020-04-21)

Bug Fixes

• improve update into adapter before model (0e9ccc6)

4.3.0 (2020-04-20)

Features

• controls whether to automatically notify Watcher (2ce07c2)

4.2.1 (2020-04-05)

Bug Fixes

• remove use spread operator with await in array (6e4f876)

4.2.0 (2020-04-05)

Features

• add glob pattern to built-in function (8415fc2)

4.1.1 (2020-02-20)

Bug Fixes

• enforcer.ts: fix deleteUser and improve deleteRole description (1e6af16), closes #118

4.1.0 (2020-02-13)

Features

• synchronized enforcer (ecec514)

4.0.0 (2020-02-11)

improvement

• convert all management_api to async function (e9f4d38)

BREAKING CHANGES

• see #

3.1.0 (2020-01-22)

Features

• implementation cachedEnforcer (0ace1a6)

3.0.9 (2020-01-14)

Bug Fixes

• getImplicitPermissionsForUser missing domain parameter (584624c)

3.0.8 (2019-12-12)

3.0.7 (2019-11-18)

3.0.6 (2019-11-07)

3.0.5 (2019-10-29)

3.0.3 (2019-07-06)

3.0.2 (2019-07-06)

3.0.1 (2019-06-14)

3.0.0 (2019-06-05)

3.0.0-beta.1 (2019-04-29)

2.0.3 (2019-04-22)

2.0.1 (2019-02-08)

2.0.0 (2019-01-05)

1.1.9 (2018-12-20)

1.1.8 (2018-12-18)

1.1.7 (2018-12-14)

1.1.6 (2018-12-07)

1.1.5 (2018-11-02)

1.1.4 (2018-11-01)

1.1.2 (2018-08-27)

1.1.1 (2018-08-20)

1.1.0 (2018-08-17)

1.0.5 (2018-08-09)