Netpress Laravel-inspired backend framework for Node.js
Frameworkv0.1.14 Starterv0.1.12 Docsv1.0.3
Overview Installation Architecture CLI
Features

Authorization

Authorization answers a different question from authentication:

Can this user perform this action?

Netpress supports two layers:

  • core policies and the can() helper
  • the optional NetPress Permissions package for roles, permissions, morph assignments, and route guards

Core Authorization

Core authorization is policy-first and Laravel-like.

You can:

  • call await can(user, "posts.publish")
  • call await can(user, "update", post)
  • call await can("update", post, { user })
  • use await this.can(req, "update", post) inside a controller
  • use await this.authorize(req, PolicyClass, "update", post) when you want an explicit policy class

If a matching policy exists, Netpress uses it first. If no policy matches, permission-aware models can fall back through hasPermissionTo().

import { can } from "@admicaa/netpress";

await can(user, "posts.publish");
await can(user, "update", post);

Quick Policy Example

// app/Policies/PostPolicy.js
export default class PostPolicy {
  async update(user, post) {
    return user.role === "admin" || user.id === post.userId;
  }
}

Register it:

import { registerPolicy } from "@admicaa/netpress";
import Post from "../Models/Post.js";
import PostPolicy from "../Policies/PostPolicy.js";

registerPolicy(Post, PostPolicy);

Use it in a controller:

const post = await PostService.show(req.params.id);
await this.can(req, "update", post);

Or explicitly:

await this.authorize(req, PostPolicy, "update", post);

Route-Level Authorization

The starter also includes route middleware helpers for explicit policy checks:

import authMiddleware from "../app/Http/Middleware/auth.js";
import { authorize, requireRole } from "../app/Http/Middleware/role.js";

router.group(authMiddleware, (router) => {
  router.group(requireRole("admin"), (router) => {
    router.get("/users", UserController.index);
  });
});

router.delete(
  "/posts/:id",
  authMiddleware,
  authorize(PostPolicy, "delete", (req) => PostService.show(req.params.id)),
  PostController.destroy,
);

Authorization In Views

When the starter resolves the web guard for server-rendered routes, views get:

  • auth.user
  • Auth.user()
  • Auth.check()
  • can()

That means a page can read the current user directly:

export default function DashboardPage({ Auth, auth }) {
  return <h1>Hello {Auth.user()?.name || auth.user?.name}</h1>;
}

can() is available too, but it stays async because policies and permissions may touch the database. For conditional rendering, prefer resolving those booleans in the controller and passing them as props.

When To Add NetPress Permissions

Reach for the permissions package when your app needs:

  • many reusable roles
  • named permissions like posts.update
  • polymorphic role or permission assignments
  • guard-aware route middleware such as AuthGuard.can() or AuthGuard.role()

That package builds on top of Netpress core auth and authorization instead of replacing them.

Synced to framework v0.1.14 · starter v0.1.12 · docs v1.0.3. Static HTML output ready for local preview and publishing.