ianstormtaylor/permit ianstormtaylor/permit

Permissions & User Roles
  • Stars
    star
    1,683
  • Rank 26,548 (Top 0.6 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created about 6 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ianstormtaylor/permit
github

ianstormtaylor

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An unopinionated authentication library for building Node.js APIs.

An unopinionated authentication library
for building Node.js APIs.



Usage • Why? • Principles • Examples • Documentation



Permit makes it easy to add an authentication layer to any Node.js API. It can be used with any of the popular server frameworks (eg. Express, Koa, Hapi, Fastify) and it can be used for any type of API (eg. REST, GraphQL, etc.) due to its simple, unopinionated design.


Usage

Permit lets you authenticate via the two schemes most APIs need: a single secret bearer token, or a set of username and password credentials. For example, here's how to authenticate a bearer token:

import { Bearer } from 'permit'

// A permit that checks for HTTP Bearer Auth, falling back to a query string.
const permit = new Bearer({
  query: 'access_token',
})

async function handler({ req, res }) {
  // Try to find the bearer token in the request.
  const token = permit.check(req)

  // No token, that means they didn't pass credentials!
  if (!token) {
    permit.fail(res)
    throw new Error(`Authentication required!`)
  }

  // Authenticate the token however you'd like...
  const user = await db.users.findByToken(token)

  // No user, that means their credentials were invalid!
  if (!user) {
    permit.fail(res)
    throw new Error(`Authentication invalid!`)
  }

  // They were authenticated, so continue with your business logic...
  ...
}

Since Permit isn't tightly coupled to a framework or data model, it gives you complete control over how you write your authentication logic—the exact same way you'd write any other request handler.


Why?

Before Permit, the only real choice for authentication libraries in Node.js was Passport.js. But it has a bunch of issues that complicate your codebase...

  • It is not focused on authenticating APIs. Passport is focused on authenticating web apps with services like Facebook, Twitter and GitHub. APIs don't need that, so all the extra bloat means lots of complexity for no gain.

  • It is tightly-coupled to Express. If you use Koa, Hapi, Fastify, or some other framework you have to go to great lengths to get it to play nicely. Even if you just want to tweak the opinionated defaults you're often out of luck.

  • Other middleware are tightly-coupled to it. Passport stores state on the req object, so all your other middleware (even other third-party middleware) become tightly coupled to its implementation, making your codebase brittle.

  • It results in lots of hard to debug indirection. Because of Passport's black-box architecture, whenever you need to debug an issue it's causing you have to trace its logic across many layers of indirection and many repositories.

  • It's not very actively maintained. Passport's focus on OAuth providers means that it takes on a huge amount of scope, across a lot of repositories, many of which are not actively maintained anymore.

Don't get me wrong, Passport works great for working with OAuth providers. But if you've run into any of these problems before while adding authentication to a Node.js API, you might like Permit.

Which brings me to how Permit solves these issues...


Principles

  1. API first. Permit was designed with authenticating APIs in mind, so it's able to be much leaner than others, since it doesn't need to handle complex OAuth integrations with Facebook, Google, etc.

  2. Stateless requests. Since the vast majority of APIs are stateless in nature, Permit eschews the complexity that comes with handling session stores—without preventing you from using one if you need to.

  3. Framework agnostic. Permit doesn't lock you into using any specific server framework or data model, because it's composed of small but powerful utility functions that do the heavy-lifting for you.

  4. Unopinionated interface. Due to its simple interface, Permit makes it much easier to write and reason about your actual authentication logic, because it's exactly like writing any other route handler for your API.


Examples

Permit's API is very flexible, allowing it to be used for a variety of use cases depending on your server framework, your feelings about ORMs, your use of promises, etc. Here are a few examples of common patterns...


Documentation

Read the getting started guide to familiarize yourself with how Permit works, or check out the full API reference for more detailed information...


Thanks

Thank you to @dresende for graciously transferring the permit package!


License

This package is MIT-licensed.

More Repositories

1

slate

A completely customizable framework for building rich text editors. (Currently in beta.)
TypeScript
28,934
star
2

superstruct

A simple and composable way to validate data in JavaScript (and TypeScript).
TypeScript
6,772
star
3

react-values

A set of tiny React components for handling state with render props.
JavaScript
1,024
star
4

awesome-heroku

A curated list of helpful Heroku resources.
291
star
5

slate-plugins

A set of my personal Slate editor plugins, in a monorepo.
JavaScript
232
star
6

to-case

Simple case detection and conversion for strings.
JavaScript
122
star
7

minify

Simple, clean API for minifying Javascript, HTML or CSS.
JavaScript
112
star
8

hpmor

A set of covers for "Harry Potter and the Methods of Rationality".
112
star
9

css-color-function

A parser and converter for Tab Atkins's proposed color function in CSS.
JavaScript
91
star
10

is

Simple type checking.
JavaScript
77
star
11

router

A nice client-side router.
JavaScript
71
star
12

bump

Easily bump the version of all the different package.json equivalents.
JavaScript
65
star
13

heroku-logger

A dead simple logger, designed to be perfect for Heroku apps.
JavaScript
59
star
14

is-empty

Check whether a value is empty.
JavaScript
47
star
15

browser-logger

A dead simple logger, designed to be perfect for the browser.
JavaScript
44
star
16

download-github-repo

Download and extract a GitHub repository from node.
JavaScript
42
star
17

void

A toolkit for making generative art.
TypeScript
42
star
18

pg-sql-helpers

A set helpers for writing dynamic SQL queries with `pg-sql` in Javascript.
JavaScript
38
star
19

to-camel-case

Convert a string to a camel case.
JavaScript
36
star
20

rework-pure-css

Spiritual successor:
JavaScript
33
star
21

to-snake-case

Convert a string to a snake case.
JavaScript
26
star
22

history

A nicer wrapper around the browser's History API. Push, replace, back, forward, etc.
JavaScript
25
star
23

makefile-help

An easy way to add a `make help` target to your Makefiles.
Makefile
24
star
24

slate-drop-or-paste-images

Moved! This package has moved to ianstormtaylor/slate-plugins...
24
star
25

rework-color-function

Implements Tab Atkins's proposed color function in CSS.
CSS
22
star
26

slate-auto-replace

Moved! This package has moved to ianstormtaylor/slate-plugins...
22
star
27

trigger-event

Programmatically trigger a DOM event. Useful for unit testing mostly.
JavaScript
21
star
28

component-size

A component command to list the sizes of all your component's dependencies.
JavaScript
18
star
29

to-title-case

Convert a string to a title case.
JavaScript
17
star
30

component-update

A component command plugin to update out of date dependencies.
JavaScript
16
star
31

to-no-case

Remove an existing case from a string.
JavaScript
16
star
32

reset

An opinionated CSS reset for web *apps*.
CSS
15
star
33

css

Simple CSS manipulation.
JavaScript
15
star
34

component-outdated

A component command plugin to list outdated dependencies.
JavaScript
14
star
35

read-file-stdin

Read from a file, falling back to stdin.
JavaScript
14
star
36

create-event

Create an event object cross browser. Useful for unit testing mostly.
JavaScript
13
star
37

correct-email

Correct common misspellings in an email address, based on Kicksend's Mailcheck library.
JavaScript
13
star
38

backbone-inheritance

(I no longer use Backbone, but feel free to check this plugin out. The code is pretty straightforward.) A Backbone.js mixin that lets Views inherit properties from their parents.
JavaScript
12
star
39

to-capital-case

Convert a string to a capital case.
JavaScript
11
star
40

to-slug-case

Convert a string to a slug case.
JavaScript
11
star
41

jquery-state

A jQuery plugin that makes setting states in the DOM easy and accessible.
JavaScript
11
star
42

animate

Easily apply animate.css animations to elements via Javascript.
CSS
10
star
43

slate-paste-linkify

Moved! This package has moved to ianstormtaylor/slate-plugins...
10
star
44

backbone-state

(I no longer use Backbone, but feel free to check this plugin out. The code is pretty straightforward.) A Backbone.js mixin that adds states to Views.
JavaScript
9
star
45

slate-soft-break

Moved! This package has moved to ianstormtaylor/slate-plugins...
8
star
46

title-case-minors

A list of the minor words that shouldn't be capitalized in a title case string.
JavaScript
8
star
47

closest-match

Find the closest match for a string from an array of matches, using string distance.
JavaScript
7
star
48

loading

A simple way to toggle loading state.
JavaScript
7
star
49

to-sentence-case

Convert a string to a sentence case.
JavaScript
6
star
50

makefile-assert

An easy way to assert that an environment variable is defined in your Makefiles.
Makefile
6
star
51

mailto

Programmatically open the user's email client.
JavaScript
6
star
52

assert-dir-equal

Assert that the contents of two directories are equal.
JavaScript
6
star
53

write-file-stdout

Write to a file, falling back to stdout.
JavaScript
6
star
54

slate-auto-replace-text

Deprecated! Use ianstormtaylor/slate-auto-replace instead...
6
star
55

to-space-case

Convert a string to a space case.
JavaScript
5
star
56

to-dot-case

Convert a string to a dot case.
JavaScript
5
star
57

parallel

A simple API for running async functions in parallel.
JavaScript
4
star
58

rework-font-variant

Implements the font-variant-* properties for browsers that don't yet support them.
JavaScript
4
star
59

to-constant-case

Convert a string to a constant case.
JavaScript
4
star
60

email

Parse an email address into its components, based on component/url.
JavaScript
4
star
61

parent

Get the parent of an element.
JavaScript
3
star
62

get

Get a property from a model or object.
JavaScript
3
star
63

to-pascal-case

Convert a string to pascal case.
JavaScript
3
star
64

classes

Quickly mixin class helper methods to a view.
JavaScript
3
star
65

bind

A clear API for function binding helpers.
JavaScript
3
star
66

map

Map an array or object.
JavaScript
3
star
67

matchuppps

My 10K Apart 2010 entry that won Best Design
JavaScript
3
star
68

slate-collapse-on-escape

Moved! This package has moved to ianstormtaylor/slate-plugins...
3
star
69

backbone-getset

(I no longer use Backbone, but feel free to check this plugin out. The code is pretty straightforward.) A Backbone.js mixin that adds a getter and setter to Backbone Views.
JavaScript
2
star
70

typekit

Load a Typekit kit asynchronously, automatically handling FOUT.
JavaScript
2
star
71

backbone-events

(I no longer use Backbone, but feel free to check this plugin out. The code is pretty straightforward.) A Backbone.js mixin that lets you define all your events in one place.
JavaScript
2
star
72

reduce

Reduce an array or object.
JavaScript
1
star
73

changesets-logo

A logo for Changesets.
1
star
74

pick

Pick keys from an object, returning a clone.
JavaScript
1
star
75

callback

Sugar for couthly calling functions back.
JavaScript
1
star
76

graph

WIP, naming ideas much appreciated :)
JavaScript
1
star
77

redraw

Force a redraw on an element.
JavaScript
1
star
78

on-load

Callback when the document has loaded.
JavaScript
1
star
79

set

Set a property on a model or object.
JavaScript
1
star
80

case

Moved to https://github.com/ianstormtaylor/to-case
JavaScript
1
star
81

slate-auto-replace-block

Deprecated! Use ianstormtaylor/slate-auto-replace instead...
1
star