@ApiAuthorizationPolicy
Registers a class as an authorization policy for a specific entity. Policies execute before every secured CRUD route and can allow/deny requests based on custom logic.
Signature
@ApiAuthorizationPolicy<E extends IApiBaseEntity>({
entity,
priority?,
policyId?,
description?,
}: IApiAuthorizationPolicySubscriberProperties<E>)Options
| Option | Description |
|---|---|
cache | Optional cache override for this policy (isEnabled, ttlMs). |
entity | Entity this policy protects. Required. |
priority | Higher priorities execute earlier. Defaults to 0. |
policyId | Optional custom identifier. Defaults to <entityName>Policy. Useful when multiple policies protect the same entity. |
description | Short summary displayed in tooling or logs. |
Usage steps
- Extend
ApiAuthorizationPolicyBase<E>and implement lifecycle hooks (onBeforeCreate,onBeforeGetList, etc.). - Decorate the class with
@ApiAuthorizationPolicy. - Import
ApiAuthorizationModuleso policies are discovered. - Add
@ApiControllerSecurable()(and optionally@ApiController) to controllers that should enforce policies.
Example
import type { IApiAuthorizationRuleContext, IApiAuthorizationScope, TApiAuthorizationPolicyBeforeGetListResult, TApiAuthorizationRuleScopeResolver } from "@elsikora/nestjs-crud-automator";
import { ApiAuthorizationPolicy, ApiAuthorizationPolicyBase } from "@elsikora/nestjs-crud-automator";
@Injectable()
@ApiAuthorizationPolicy<UserEntity>({
entity: UserEntity,
priority: 150,
description: "Allow admins and support staff to manage users",
})
export class UserAccessPolicy extends ApiAuthorizationPolicyBase<UserEntity> {
public onBeforeGetList(): TApiAuthorizationPolicyBeforeGetListResult<UserEntity> {
const scope: TApiAuthorizationRuleScopeResolver<UserEntity> = (context: IApiAuthorizationRuleContext<UserEntity>): IApiAuthorizationScope<UserEntity> => ({
where: { ownerId: context.subject.id },
});
return this.allowForRoles(["admin", "support"], {
description: "Admins and support can list users",
scope,
});
}
}Hook context
context.DATA contains typed metadata for the request, including the resolved subject and optional authenticationRequest.
Return type helpers
Use TApiAuthorizationPolicyBefore*Result and TApiAuthorizationPolicyCustomActionResult to make hook return types explicit. Hooks always return arrays of rules; use an empty array ([]) when no rules apply.
Policy cache override
Use the cache option when you want to cache only specific policies:
@ApiAuthorizationPolicy<UserEntity>({
entity: UserEntity,
cache: { isEnabled: true, ttlMs: 60_000 },
})
export class UserAccessPolicy extends ApiAuthorizationPolicyBase<UserEntity> {}Related resources
Last updated on