Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Action based authorization middleware.
tag: v0.1.0

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


Action based authorization middleware

The authorized package is available on npm.

$ npm install authorized

Current Status

Quick start

Import an authorization manager.

var auth = require('authorized');

Provide getters for your application roles.

auth.role('admin', function(req, done) {
  done(null, req.user && req.user.admin);

Roles can use <entity>.<relation> syntax.

// getters for entity.relation type roles are called with the entity
auth.role('organization.owner', function(org, req, done) {
  if (!req.user) {
  } else {
    done(null, !!~org.owners.indexOf(;

Provide getters for your application entities.

auth.entity('organization', function(req, done) {
  // assume url like /organizations/:orgId
  var match = req.url.match(/^\/organizations\/(\w+)/);
  if (!match) {
    done(new Error('Expected url like /organizations/:orgId'));
  // pretend we're going to the db for the organization
  process.nextTick(function() {
    // mock org
    var org = {id: match[1], owners: ['user.1']};
    done(null, org);

Now define what roles are required for your actions.

auth.action('add members to organization', ['admin', 'organization.owner']);

Now you're ready to generate authorization middleware.

var middleware = auth.can('add members to organization');

This middleware can be used in Connect/Express apps in your route definitions.

var assert = require('assert');
var express = require('express');
var app = express();
    auth.can('add members to organization'),
    function(req, res, next) {
      // you can safely let the user add members to the org here
      // you can also access entities, roles, and actions for your view
      var view = auth.view(req);
      assert.strictEqual(view.roles['admin'], false);
      assert.strictEqual(view.roles['organization.owner'], true);
      assert.strictEqual(view.actions['add members to organization'], true);

What else?

This package is strictly about authorization. For a full-featured authentication package, see PassportJS.

Inspiration is drawn here from connect-roles. One major difference is that this is all async (you don't have to determine if a user can perform an action synchronously).

Check out the tests for more

Tests are run with mocha.

npm test
Something went wrong with that request. Please try again.