npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

granter

v2.0.2

Published

Composable, type-safe authorization for TypeScript. Define permissions once, use everywhere.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

zlatkofedorzlatkofedor

Keywords

authorizationpermissionsaccess-controlauthzrbacabacsecuritycomposabletypescriptasynctype-safe

Readme

granter

Composable, type-safe authorization for TypeScript

npm version License: MIT

📚 Read the full documentation →

Why granter?

Composable - Build complex permissions from simple rules
🔒 Type-safe - Full TypeScript inference with generic contexts
Async-first - Works seamlessly with databases, APIs, and DataLoader
🔧 Framework-agnostic - Works with Express, Hono, Next.js, GraphQL, and more
🪶 Zero dependencies - Lightweight and performant

Quick Example

import { permission, or } from 'granter';

// Define permissions
const isAdmin = permission('isAdmin', (ctx) => ctx.user.role === 'admin');

const isPostOwner = permission('isPostOwner', (ctx, post) => post.authorId === ctx.user.id);

// Compose permissions
const canEditPost = or(isPostOwner, isAdmin);

// Use them - permissions are callable!
if (await canEditPost(ctx, post)) {
  await updatePost(post);
}

// Require permission (throws if denied)
await canEditPost.orThrow(ctx, post);

// Filter arrays
const editablePosts = await canEditPost.filter(ctx, allPosts);

// Debug permission checks
const explanation = await canEditPost.explain(ctx, post);

Installation

npm install granter

Documentation

Visit seeden.github.io/granter for the complete documentation:

Key Features

Composable Operators

import { and, or, not } from 'granter';

// Combine with OR (any must pass)
const canEdit = or(isPostOwner, isAdmin, isModerator);

// Combine with AND (all must pass)
const canPublish = and(isAuthenticated, isVerified, isPostOwner);

// Negate permissions
const canComment = and(isAuthenticated, not(isBanned));

Powerful Methods

// Check permission (returns boolean)
if (await canEdit(ctx, post)) {
  /* ... */
}

// Require permission (throws if denied)
await canEdit.orThrow(ctx, post);

// Filter arrays to allowed items
const editable = await canEdit.filter(ctx, allPosts);

// Debug permission checks
const explanation = await canEdit.explain(ctx, post);

Simplify with withContext()

import { withContext } from 'granter';

const abilities = withContext(ctx, {
  canEditPost,
  canDeletePost,
});

// No need to pass ctx anymore!
if (await abilities.canEditPost(post)) {
  await updatePost(post);
}

Framework Examples

granter works with any TypeScript project. See the documentation for complete examples with:

  • Express.js - REST API with middleware
  • Next.js - Server Actions and App Router
  • GraphQL - Apollo Server with DataLoader
  • React - Context and hooks patterns

Authentication Integration

granter is authorization-only and works with any authentication library:

See the Authentication Integration guide for complete examples.

TypeScript Support

granter is built with TypeScript and provides full type inference:

type AppContext = {
  user: { id: string; role: string };
  db: Database;
};

type Post = {
  id: string;
  authorId: string;
};

const canEdit = or(isPostOwner, isAdmin);

// ✅ Type-safe: ctx and post are fully typed
await canEdit(ctx, post);

// ❌ TypeScript error: missing resource
await canEdit(ctx);

Testing

Permissions are pure functions, making them easy to test:

import { describe, it, expect } from 'vitest';

describe('canEditPost', () => {
  it('allows post owner', async () => {
    const ctx = { user: { id: '1', role: 'user' }, db };
    const post = { id: '123', authorId: '1' };

    expect(await canEditPost(ctx, post)).toBe(true);
  });

  it('allows admin', async () => {
    const ctx = { user: { id: '2', role: 'admin' }, db };
    const post = { id: '123', authorId: '1' };

    expect(await canEditPost(ctx, post)).toBe(true);
  });

  it('denies other users', async () => {
    const ctx = { user: { id: '3', role: 'user' }, db };
    const post = { id: '123', authorId: '1' };

    expect(await canEditPost(ctx, post)).toBe(false);
  });
});

Advanced Features

Parallel Operators

Use orParallel() and andParallel() for DataLoader batching:

import { orParallel, andParallel } from 'granter';

// Run all checks in parallel (no short-circuit)
const canEdit = orParallel(isPostOwner, isAdmin, isModerator);

Learn more about parallel execution →

Debug with .explain()

Understand why permissions passed or failed:

const explanation = await canEdit.explain(ctx, post);
console.log(JSON.stringify(explanation, null, 2));
// {
//   "name": "(isPostOwner OR isAdmin)",
//   "value": false,
//   "duration": 15.23,
//   "children": [
//     { "name": "isPostOwner", "value": false, "duration": 8.12 },
//     { "name": "isAdmin", "value": false, "duration": 7.11 }
//   ]
// }

Learn more about debugging →

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

MIT © seeden

📚 View Full Documentation | GitHub | npm