CASL is a library that is designed to make managing permissions easier. We spoke to CASL’s developer Sergii Stotskyi about the library. When do you need CASL, what has changed with version 4.0 and what are some typical stumbling blocks?
JAXenter: Hi Sergii, you are the developer of CASL, so could you tell us what it is and who should be using it?
What else can I say about CASL?
CASL is declarative, it allows you to define permissions in the memory using a domain-specific language that matches your business requirements almost word for word.
CASL is TypeSafe, it’s written in TypeScript, this makes apps safer and developer experience more enjoyable.
CASL is small, it’s just ~4.5KB mingzipped and can be even smaller, thanks to tree-shaking! The minimum size is ~1.5KB.
JAXenter: When should you use CASL?
Sergii Stotskyi: Whenever you have a requirement to implement Access Control in the application. CASL, in its core, implements ABAC (i.e., Attribute Based Access Control), but it can be successfully used to implement RBAC (Role Based Access Control) and even Claim based access control.
Moreover, CASL can be integrated with databases, so you can use it to query accessible records! Currently it officially supports MongoDB and Mongoose. Support for SQL is planned to be implemented in the nearest future. From what I know, there are successful integrations of CASL with Objection.js, Sequelize and GraphQL.
CASL supported TypeScript from the early versions but it was by handwritten declaration files. It was tedious to update them and I used to forget to do that when a new feature was released.
CASL 4.0 is rewritten in TypeScript.
CASL 4.0 is rewritten in TypeScript. Now, I’m sure that types are in sync with the latest features. Moreover, new types are more advanced and helpful in comparison to the handwritten ones. They allow an IDE to give you hints on what actions and/or subjects can be used, and what MongoDB operators you can use in conditions, so you are protected from making typo mistakes in action or subject names.
JAXenter: What other changes were published in CASL 4.0 that users should definitely know about?
The main goals of the 4.0 release were
- comprehensive TypeScript support
- better documentation
- better tree-shaking support
TypeScript support was improved a lot! In 4.0, the Ability class accepts 2 optional generic parameters. The 1st parameter restricts which actions can be done on which subjects and the 2nd defines the shape of the conditions object. By default, the Ability class uses MongoDB conditions, so you need to specify only one parameter – application abilities.