Fast, flexible, and framework-agnostic Role-Based Access Control for JavaScript/TypeScript
Install Fire Shield in your project:
npm install @fire-shield/coreyarn add @fire-shield/corepnpm add @fire-shield/coreimport { RBAC } from '@fire-shield/core'
// Create RBAC instance
const rbac = new RBAC()
// Define roles and permissions
rbac.createRole('admin', ['posts:*', 'users:*'])
rbac.createRole('editor', ['posts:read', 'posts:write'])
rbac.createRole('viewer', ['posts:read'])
// Check permissions
const user = { id: '1', roles: ['editor'] }
rbac.hasPermission(user, 'posts:write') // โ
true
rbac.hasPermission(user, 'users:delete') // โ falseFire Shield provides first-class support for popular frameworks:
<template>
<!-- Show button only if user can write posts -->
<button v-can="'posts:write'">Create Post</button>
<!-- Hide button if user can't delete -->
<button v-cannot="'posts:delete'">Delete Post</button>
</template>
<script setup>
import { useRBAC } from '@fire-shield/vue'
const { can, cannot } = useRBAC()
</script>import { Can, useRBAC } from '@fire-shield/react'
function PostEditor() {
const { can } = useRBAC()
return (
<>
{/* Conditional rendering */}
<Can permission="posts:write">
<button>Create Post</button>
</Can>
{/* Programmatic check */}
{can('posts:delete') && (
<button>Delete Post</button>
)}
</>
)
}import { RBACProvider } from '@fire-shield/react'
import { rbac } from '@/lib/rbac'
// In layout or _app
export default function RootLayout({ children }) {
return (
<RBACProvider rbac={rbac}>
{children}
</RBACProvider>
)
}
// Middleware for route protection
export function middleware(request) {
const user = getUser(request)
if (!rbac.hasPermission(user, 'admin:access')) {
return NextResponse.redirect('/unauthorized')
}
}<template>
<div>
<!-- Use composables -->
<button v-if="canWrite">Create Post</button>
<button v-if="isAdmin">Admin Panel</button>
</div>
</template>
<script setup>
const { can } = useFireShield()
const canWrite = can('posts:write')
const isAdmin = can('admin:access')
</script>import { Component } from '@angular/core'
import { RBACService } from '@fire-shield/angular'
@Component({
selector: 'app-posts',
template: `
<!-- Structural directive -->
<button *fsCanPermission="'posts:write'">
Create Post
</button>
<!-- Observable -->
<button *ngIf="canDelete$ | async">
Delete Post
</button>
`
})
export class PostsComponent {
canDelete$ = this.rbac.can$('posts:delete')
constructor(private rbac: RBACService) {}
}<script>
import { can, hasRole } from '@fire-shield/svelte'
const canWrite = can('posts:write')
const isAdmin = hasRole('admin')
</script>
<!-- Reactive permission checks -->
{#if $canWrite}
<button>Create Post</button>
{/if}
{#if $isAdmin}
<button>Admin Panel</button>
{/if}
<!-- Use actions -->
<button use:can={'posts:delete'}>Delete</button>import { createExpressRBAC } from '@fire-shield/express'
const rbacMiddleware = createExpressRBAC(rbac, {
getUser: (req) => req.user
})
// Protect routes
app.post('/posts',
rbacMiddleware.requirePermission('posts:write'),
createPost
)
app.delete('/posts/:id',
rbacMiddleware.requirePermission('posts:delete'),
deletePost
)import { createFastifyRBAC } from '@fire-shield/fastify'
const { rbacPlugin, requirePermission } = createFastifyRBAC(rbac, {
getUser: (request) => request.user
})
// Register plugin
fastify.register(rbacPlugin)
// Protect routes
fastify.post('/posts', {
preHandler: requirePermission('posts:write')
}, createPost)import { Hono } from 'hono'
import { HonoRBACAdapter } from '@fire-shield/hono'
const app = new Hono()
const rbacMiddleware = new HonoRBACAdapter(rbac)
// Protect routes
app.get('/admin',
rbacMiddleware.permission('admin:access'),
(c) => c.json({ admin: true })
)
// Works on edge: Cloudflare, Deno, Vercel
export default app| Feature | Fire Shield | Casbin | CASL | AccessControl | acl |
|---|---|---|---|---|---|
| TypeScript | โ Native | โ Full | โ Full | ๐ก Partial | ๐ก Partial |
| Bundle Size | ๐ฏ ~15KB | ~600KB+ | ~350KB | ~180KB | ~35KB |
| Dependencies | โ 0 | ~5 | 1 | 0 | Few |
| Wildcard Permissions | โ Yes | โ Yes (regex) | ๐ก Partial | โ Yes | โ No |
| Role Hierarchy | โ Yes | โ Yes | โ No | โ No | โ No |
| Audit Logging | โ Built-in | ๐ก Plugin | โ No | โ No | โ No |
| Deny Permissions | โ Yes | โ Yes | โ No | โ No | โ No |
| Framework Adapters | โ 9+ | ๐ก Limited | ๐ก Limited | โ No | โ No |
| Maintained | โ Active | โ Active | โ Active | ๐ก Low Activity | ๐ก Old/Little Maintenance |
If you find Fire Shield helpful, consider supporting its development:
Your support helps maintain and improve Fire Shield! ๐
Ready to secure your application?
Get Started โ