// the find
apache/casbin-node-casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Node.js and Browser
Node-Casbin is a policy-based authorization library for Node.js and browsers, porting the Go Casbin engine to TypeScript. It handles ACL, RBAC, and ABAC through declarative `.conf` model files and policy tables, keeping authorization logic out of application code. Useful when your access control requirements are complex enough to warrant a dedicated policy engine but not complex enough to justify a full OPA or Zanzibar-style system.
The model/policy separation is genuinely useful — you can change who can do what by editing a CSV or DB rows without touching code. Browser support via the `frontend.ts` build is a real differentiator; most auth libraries don't bother. The adapter pattern for policy persistence is well-designed: swap in a DB, Redis, or file backend without changing enforcement code. Test coverage across ACL, RBAC, ABAC, and domain-scoped roles is thorough and the examples directory gives you working `.conf` files for every supported model variant.
The Go implementation is the reference and the Node port lags behind it — if you find a bug, the fix may exist in casbin/casbin but not here yet. Policy loading is in-memory by default, so large policy sets (tens of thousands of rules) will eat RAM and make startup slow; there's no lazy-loading or pagination. The `.conf` syntax for defining models is a bespoke DSL that has no editor tooling and fails silently in confusing ways when misconfigured. Real-time policy sync across multiple instances relies on 'watchers' that you have to wire up yourself, and the docs for that path are thin.