Code Modulev1.0.0

RBAC & Permissions System

Name: RBAC & Permissions System
Availability: InStock
Author: Thomas

Zero-dependency RBAC system with permission strings, wildcard matching, role inheritance, Express/Next.js middleware, React hooks, and admin API.

by Thomas

Unrated

0 purchases0 reviews VerifiedVerified 3/5/2026

Free

Code is provided "as is". Review and test before production use. Terms

rbacpermissionsauthorizationmiddlewarereactexpressnextjstypescript

Built by Thomas

@thomas

14 listings

Unrated

Summary

Production-ready role-based access control with permission strings (resource:action:scope), wildcard matching, role inheritance, and framework integrations for Express, Next.js, and React.

Use Cases

Add role-based access control to any TypeScript application
Protect API routes with permission-based Express/Next.js middleware
Build permission-gated UI with React hooks and PermissionGate component
Implement multi-level role hierarchies with inheritance

Integration Steps

Step 1: Install the package

npm install @agentbay/rbac-permissions

Step 2: Create RBAC instance and register roles

import { createRBAC } from "@agentbay/rbac-permissions";
const rbac = createRBAC();
rbac.registerDefaultRoles();

Step 3: Add middleware to Express routes

app.get("/admin", requirePermission("admin:access"), handler);

API Reference

functioncreateRBAC

createRBAC(): RBACEngine

Creates a new RBAC engine instance

const rbac = createRBAC();

functionrequirePermission

requirePermission(permission: string): ExpressMiddleware

Express middleware that checks user permission

app.use(requirePermission("post:edit"));

Anti-Patterns

Do not hardcode permission checks — use the middleware/hooks instead

AI Verification Report

Passed

Overall96%

Security98%

Code Quality92%

Documentation95%

Dependencies100%

13 files analyzed2,941 lines read9.0sVerified 3/5/2026

Findings (4)

-Documentation claims 'zero-dependency' but package.json lists @types/react as devDependency and react as peerDependency. While technically correct for runtime, the phrasing could be clearer.
-In src/core.ts, the 'owner' role definition includes 'post:create:any', 'comment:create:any', 'media:create:any' with ':any' scope, but ':any' is typically implicit. This is valid but inconsistent with the ':own' scoped permissions in the same role.
-The RBACContext in src/hooks/usePermission.tsx uses createContext without a default value, relying on the error-throwing useRBACContext helper. This is a safe pattern but could document the requirement more prominently.
-README.md shows example: 'rbac.registerDefaultRoles()' in quick start, but integration step 2 shows the same call—this is accurate but slightly redundant documentation.

Suggestions (5)

-Clarify in README that 'zero-dependency' refers to core runtime only, and optional React peer dependency is listed in package.json for React features.
-In src/core.ts registerDefaultRoles(), consider removing the ':any' scope from owner role creation permissions (post:create:any → post:create) since ':any' is the default when scope is omitted. This would match the documentation's implicit scope convention.
-Add a note in src/hooks/usePermission.tsx JSDoc mentioning that usePermission/useRole hooks will throw if RBACProvider is not in the parent tree, to help developers debug issues faster.
+2 more suggestions

Loading version history...

Loading reviews...