Find file
Fetching contributors…
Cannot retrieve contributors at this time
69 lines (51 sloc) 1.88 KB


ACL for Node.JS. Including authentication and express middleware for authorization.

build status


npm install secure


1. Setup

Register the access control list:

var authenticatedAcl = require('secure/access-control-list')(customLogger)

You can define a custom logger and pass it through, else console will be used by default.

Add resources to the access control list:


This will add create, read, update, delete, and * as resource actions by default.

var accessControl = require('secure/access-control')(
  authenticationProvider, // Function to determine if user is authenticated
  authenticatedAcl, // Access control list for authenticated users
  unauthenticatedAcl, // Access control list for unauthenticated users (can use {} if not necessary)
  'admin', // Type, used to set req.session[type] for checking roles
  console, // Custom logger, if used
  function(req, res) {
    // Default failure callback

2. Middleware ACL

Add middleware to redirect users trying to access a resource without the appropriate permissions to a failure URL:

  accessControl.requiredAccess(resource, action, failureUrl),
  function(req, res) {

3. Non-middleware ACL Checks

The ACL can also be checked from within functions, rather than through middleware, for resource/action-specific functionality:

accessControl.isAllowed(req, resource, action) // Returns true/false


Dom Harrington

Paul Serby

Luke Wilde


Licenced under the New BSD License