Blitz Guard - The centralized permission based authorization for Blitz.js
...
const Guard = GuardBuilder<ExtendedResourceTypes, ExtendedAbilityTypes>(
async (ctx, { can, cannot }) => {
cannot('manage', 'all')
can("create", "article")
cannot("create", "article").reason("Because I say so")
...
const { can, reason } = Guard.can("create", "article",{},{})
console.log(can) // false
console.log(reason) // "Because I say so"
This introduces a breaking change if you are using Guard.can
// Before
- const can = Guard.can("create", "article",{},{})
// now
+ const { can, reason } = Guard.can("create", "article",{},{})
At the same time, if you are using the getAbility
hook, the return type now is an object
instead of a boolean
...
const [[canCreateComment, canDeleteComment], { isLoading }] = useQuery(getAbility, [
["create", "comment"],
["delete", "comment" /* args */],
])
console.log(canCreateComment.can) // true
console.log(canCreateComment.reason) // "some reason"
console.log(canDeleteComment.can) // false
console.log(canDeleteComment.reason) // "some reason"
// Before
- const [[canCreateComment], { isLoading }] = useQuery(getAbility, [
- console.log(canCreateComment) // true
// Now
+ console.log(canCreateComment.can) // true
+ console.log(canCreateComment.reason) // "some reason"
...
resolver.pipe(
resolver.zod(CreateProject),
Guard.authorizePipe("create", "project"),
...
If you are using pipes in your queries or mutations you can use Guard.authorizePipe as shown in the example. If the authorization fails it will throw an AuthorizationError
See usage here: https://ntgussoni.github.io/blitz-guard/docs/secure-your-endpoints/#guardauthorizepipe
Initial release