casl

CASL (pronounced like "castle") is a JavaScript and TypeScript library for managing authorization in web applications. Authorization is the process of deciding what a logged-in user is actually allowed to do: can this person read a post, edit it, or delete it? CASL provides a structured way to define and check those rules so the same logic can be applied consistently across a browser interface, a back-end API, and database queries.

The library works around the concept of abilities: a collection of rules describing what actions a user can perform on which resources. A rule can be as broad as "any user can read blog posts" or as specific as "a user can only delete their own posts if the post was created in the last 24 hours." Rules can also target specific fields on a resource, not just the resource type as a whole.

CASL is designed to work in both browser and server environments without changes. It has official integration packages for major JavaScript frameworks: Angular, React, Vue, and Aurelia on the front end, and Mongoose and Prisma on the back end. The core package is small, around 6 kilobytes compressed, and the structure lets you include only the parts your project needs.

Rules can be serialized, meaning converted to plain data and sent from a server to a browser, so the front end enforces the same permissions as the API without duplicating the logic in two places. The library is written in TypeScript, giving you type-checking throughout. It was inspired by a Ruby authorization library called CanCan.

Documentation, examples, and a community support channel are available through the project's GitHub discussions and the links in the README.