Development Report of Casbin.js

Forward from https://github.com/casbin/casbin.js/issues/12

Casbin.js is one of GSoC 2020 projects for Casbin community. See the MainPage for more details. Refer to Casbin.jsdocumentation for usage instructions and star our originrepo.

This report illustrates Casbin.js features and our current challenges (by Aug. 2020). This reports also serves as the final evaluation report for GSoC 2020.

Features

Casbin.js was built from zero during the past three months. The purpose of Casbin.js is to extend the existed access control management functionalities of Casbin to the frontend webpages. In our picture, Casbin.js can unify authorization management at the client sides, while avoid the potential security risks like the divulge of access data.

Currently, Casbin.js can be perfected integrated with a server-side Casbin core and provides some foolproof interfaces for enforcing the permission of the client-side visitors.

Casbin.js have supported the following modes by now:

1. Manual. User can specify the permissions manually with files and objects when the authorizer is activated.

2. Auto. This is the core modes of Casbin.js. Casbin.js will monitor the changes of the frontend user's identity and sync the permission with a predefined backend service.

3. (Experimental) Cookies. To maintain the permission of the frontend user via cookies.

Casbin.js is now perfectly support diverse access control models that Casbin originally supports, including the ACL, RBAC and ABAC.

Casbin.js support dynamic environment. If you are using React or Vue, you can install Casbin.js with npm or yarn. Casbin.js can also be used directly in the browser by referring its bundled version.

To avoid unnecessary syncing, Casbin.js is equipped with a built-in cache system.

Challenges

Casbin.js is a new-born baby, and it still faces a series of challenges.

One of the most tough challenges is the implementation of a simple version of enforcer with no sacrifice on the available features. Temporarily Casbin.js uses part of the functionalities of Node-Casbin in the enforcer in order to support ABAC. However, this requires the integration with Node-Casbin, which greatly increases the size of Casbin.js and brings up with lots of redundancy. I am currently working on developing a "small" enforcer that suitable for the frontend.

Another tough problem is to minimize the cost of describing a user's permission. Originally, for ACL and RBAC, a dedicatedly designed object is enough for profiling what a user can do. However, advanced model like ABAC and ABAC with custom rules require a more flexible and robust data structure.

Contribution

Main Event

I develop Casbin.js from zero during the GSoC coding period. At the beginning, my mentors and I have a heated discussion on the features of Casbin.js. Most of the ideas and the architecture follow my proposal. Originally, Casbin.js was designed to support ACL and RBAC. However, earlier this month, I have a strong debate with my mentors and we finally determine to move Casbin.js to support ABAC and ABACaccess control model.

Start of Casbin.js architecture: https://github.com/casbin/casbin.js/pull/4/ (Authorizer, message synchronization)

Permission handlers and basic APIs: https://github.com/casbin/casbin.js/pull/5

Support as a UMD module: https://github.com/casbin/casbin.js/pull/6

Add cookie mode: https://github.com/casbin/casbin.js/pull/7

Local storage cache: https://github.com/casbin/casbin.js/pull/9

Breaking change: Support for ABAC and other AC models: https://github.com/casbin/casbin.js/pull/11

I wrote a demo in React, which shows the basic methodology of Casbin.js: https://github.com/casbin-js/examples/tree/master/react

I provided the necessary API for backend service in both go Casbin and Node-Casbin. I'll add the API to the Casbin of other languages later on.

https://github.com/casbin/casbin/pull/557

https://github.com/casbin/node-casbin/pull/179

https://github.com/casbin/node-casbin/pull/186

I also try to create something named CSS controller in the native HTML environment. The CSS controller can monitor and manipulate the styles according to the user's permission. I slow it down temporarily because I think it's not really useful. See https://github.com/kingiw/casbin.js/commits/cssctl for more details.

Others

DynamoDB Adapter

I write an adapter for DynamoDB for jCasbin. See thegist for more details.

Casbin Forum

I made some contributions to casbin-forum. My major work is to unify the access-control management modules using RBAC+ABAC model with Casbin. Temporarily I've done the work on the server sides and waiting for the updates of Casbin. See https://github.com/casbin/casbin-forum/pull/65/files. Also, as the experiments, I will use Casbin.js in the Casbin forum client side.

Casbin Documentation

I participated in the development and maintenance of our officialwebsite of Casbin. Including the following two parts: 1. Fix a severe bug of the annotations of translated docs. See https://github.com/casbin/casbin-website/issues/95. 2. Work on the Chinese translation for some parts of the documentation.

After GSoC

I will continue developing Casbin.js after the end of GSoC. Fixing the challenges mentioned above will be my major work.

Some of the features raised in my proposal were not implemented: to integrate Casbin.js with modern frontend framework and provide easily used interfaces. I believe this feature is not a must for Casbin.js, so I didn't prioritize that. I will do this task after fixing the biggest challenges of Casbin.js.

Acknowledgement

I wish to express my heartfelt appreciation to my mentor and the creator of Casbin @hsluoyz, as well as Casbin member @nodece and @GopherJ. They all give me lots of assistance, guidance and inspiration during the past three months.