npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

simple-authz

v1.0.4

Published

Lightweight policy-based authorization engine for Node.js using TOON policy language

Downloads

348

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hongzirohongziro

Keywords

authorizationaccess-controlauthpolicy-enginerbacabacpermissionsnodejs-authauthorization-librarysecuritypolicy-based-accessauthzrole-based-access-controlauthorization-engine

Readme

Simple Authz

A lightweight and flexible authorization engine for Node.js built around a simple policy language called TOON (Token-Oriented Object Notation).

Simple Authz allows developers to centralize authorization logic using policy files instead of scattering permission checks across application code.

The goal of this project is to make authorization simple, fast, readable, and scalable.

Table of Contents

  • Overview
  • Why Simple Authz
  • Key Features
  • Installation
  • Quick Start
  • Core Concepts
  • Policy Language (TOON)
  • Policy Examples
  • Using Conditions
  • Working with Roles
  • Authorization API
  • Example Integrations
  • Project Structure
  • Performance
  • Security Model
  • Roadmap
  • Contributing
  • License

Overview

Most applications implement authorization like this:

if(user.role === "admin") { ... }
if(user.id === listing.owner_id) { ... }
if(user.permissions.includes("edit_listing")) { ... }

Over time this logic spreads across many files and becomes difficult to maintain.

Simple Authz solves this by moving authorization rules into policy files.

Example policy file:

allow admin *

allow user view listing

allow broker publish listing

allow broker edit listing
condition listing.owner_id == user.id

Your application then only needs to ask:

authz.can(user, "edit", "listing", listing)

Why Simple Authz

Benefits of centralized authorization:

  • Clear separation between business logic and security rules
  • Easy permission updates without touching application code
  • Better maintainability for large projects
  • Safer and more predictable access control
  • Easier onboarding for new developers

Key Features

  • Simple and readable policy language
  • Fast permission lookup
  • Support for multiple user roles
  • Logical conditional rules
  • Policy validation
  • Policy AST compilation
  • Lightweight with minimal dependencies
  • Works with any Node.js framework

Installation

Install using npm:

npm install simple-authz

Quick Start

1. Import the library

const Authz = require("simple-authz")

const authz = new Authz()

2. Create a policy file

Create a file called:

authz.toon

Example policy:

allow admin *

allow user view listing

allow broker publish listing

allow broker edit listing
condition listing.owner_id == user.id

3. Load the policy

authz.load("./authz.toon")

4. Check permissions

const allowed = authz.can(user, "edit", "listing", listing)

Example usage:

if(authz.can(user,"edit", "listing", listing)){
    updateListing()
}else{
    throw new Error("Access denied")
}

5. authz.explain() (Optional)

The authz.explain() method helps debug authorization decisions by returning detailed information about why access was allowed or denied.

Unlike authz.can(), which returns only true or false, this method returns an object explaining the result.

Usage

authz.explain(user, "edit", "listing", listing)

Example

const result = authz.explain(user, "edit", "listing", listing)

console.log(result)

Example Output

{
  allowed: true,
  role: "user",
  resource: "listing",
  action: "edit",
  reason: "condition passed"
}

If no rule matches:

{
  allowed: false,
  reason: "no matching rule"
}

Use authz.explain() for debugging and development, and authz.can() for regular authorization checks.

Core Concepts

Simple Authz follows a common authorization model:

Subject → Action → Resource

| Component | Description | | --------- | ------------------------------ | | Subject | The user performing the action | | Action | What the user wants to do | | Resource | The object being accessed |

Example:

broker → edit → listing

Policy Language (TOON)

Policies are written in TOON format.

Basic rule syntax:

allow <role> <action> <resource>

Example:

allow admin *
allow user view listing
allow broker publish listing

Wildcard Permissions

You can use * to allow everything.

Example:

allow admin *

This allows the admin role to perform any action on any resource.

Conditional Rules

Policies can include conditions.

Syntax:

allow <role> <action> <resource>
condition <condition>

Example:

allow broker edit listing
condition listing.owner_id == user.id

Meaning:

A broker can only edit listings they own.

Condition Variables

Conditions can reference:

| Variable | Description | | -------- | --------------------- | | user | authenticated user | | resource | target resource | | context | optional request data |

Example:

allow user edit profile
condition user.id == resource.id

Policy Examples

Example 1 – Basic Roles

allow admin *

allow user view listing

allow broker publish listing

Example 2 – Ownership Rules

allow broker edit listing
condition listing.owner_id == user.id

Example 3 – Multiple Rules

allow admin *

allow user view listing

allow broker publish listing

allow broker edit listing
condition listing.owner_id == user.id

Working with Roles

Users can have one or multiple roles.

Example user:

const user = {
    id: 10,
    roles: ["broker"]
}

Multiple roles:

const user = {
    id: 5,
    roles: ["user","editor"]
}

The engine checks permissions against all roles.

Authorization API

Load policy file

authz.load("./authz.toon")

Check permission

authz.can(user, action, resource, object)

Example:

authz.can(user,"edit","listing",listing)

Returns:

true
false

Example Integration

Example: Listing System

User:

const user = {
  id: 10,
  roles: ["broker"]
}

Listing:

const listing = {
  owner_id: 10
}

Permission check:

authz.can(user,"edit","listing",listing)

Result:

true

Example: Express.js Integration

Example route protection:

app.put("/listing/:id", async (req,res)=>{

    const allowed = authz.can(
        req.user,
        "edit",
        "listing",
        req.listing
    )

    if(!allowed){
        return res.status(403).send("Access denied")
    }

    updateListing()
})

Project Structure Example

Recommended project layout:

project
│
├── policies
│   └── authz.toon
│
├── src
│
├── app.js
│
└── package.json

Performance

Policies are compiled into an internal permission index for fast lookups.

Authorization checks are optimized to avoid scanning all rules.

This allows the engine to remain efficient even as policy files grow.

Security Model

Default behavior follows the deny-by-default principle.

Meaning:

If no rule allows an action, access is automatically denied.

no rule → deny
rule exists → allow

This reduces the risk of unintended access.

Roadmap

Future versions may include:

  • Policy hot reloading
  • Role inheritance
  • Policy debugger
  • Middleware helpers
  • Permission caching
  • Modular policy files
  • Distributed policy storage

Contributing

Contributions are welcome.

Steps:

  1. Fork the repository
  2. Create a feature branch
  3. Commit changes
  4. Open a pull request

License

This project is licensed under the Apache 2.0 license.

Author

Simple Authz was created to simplify authorization logic in modern Node.js applications.

Keywords