4.0.1 • Public • Published

Atrix ACL

Atrix plugin providing Access Control Lists to requests to specific routes.


atrix-acl >= 4.0.0 work with artix >= 6.0.0. For versin compatible with atrix < 6.0.0 checkouot v3 branch


Sample Configuration:

acl: {
	aclDefinition: path.join(__dirname, './acls'),
	allowInject: true,
	tokenResourceAccessRoleKey: 'pathfinder-app',
	endpoints: [
  • aclDefinition - path to the aclDefinition file, should return a method which returns an array of ACLs
  • allowInject - allow hapi-inject routes, without applying ACLs
  • tokenResourceAccessRoleKey - name of the default app in the JWT-token
  • endpoints - endpoints which should be ignored

ACL Definitions


{	role: 'admin', path: '/*a', method: '*' }

Allow user with role admin to access all paths with all methods

{ role: 'editor1', path: '/pets/:petId', method: 'put' }

Allow user with role editor1 access to path /pets/:petId with PUT method

{ userId: '242', path: '/pets/123', method: 'get' }

Allow user with userId 242 access to specific resource path /pets/123 with GET method

{ userId: '242', transition: 'cancel:speaker', method: '*' }

Allow user with userId 242 to perform transition 'cancel:speaker'

{ userId: '242', transition: 'cancel:(*_)', method: '*' }

Allow user with userId 242 to perform any transition starting with 'cancel:'

The AtrixACL uses route-parser npm package, to test incoming paths against the defined routes (similar to Hapi route definition).

Rules / Token

The user role is extracted from the JWToken via the authorization header. The AtrixACL plugin assumes the following format of a token:

credentials: {
	preferred_username: "john.doe",
	email: "john.doe@test.com",
	name: "John Doe",
	resource_access: {
		voegb: { roles: ['admin'] },
		ak: { roles: ['admin'] },
		'pathfinder-app': { roles: ['super-admin'] },

Given a configuration with the tokenResourceAccessRoleKey set to pathfinder-app, the AtrixACL uses this value as the default-role for the user (in the example above: 'super-admin')

If a x-pathfinder-tenant-ids header field is present, all the corresponding (tenant-specific) roles are extracted from the token and also tested agains the ACLs.


The AtrixACL plugin hooks into two handlers of the hapi request-lifecycle:

  • onPreHandler
  • onPreResponse


The plugins checks if the current user/role has access to the requested route. If not, it returns status-code 401. The options allowInject and endpoints are taken into consideration.


The plugins checks if a _links object is present in the response (or, if response-body is an array, in every item of the array) and manipulates the response-body. If present, every link/href in the hatr-links object is tested agains the ACLs and set to false, if the user/role has no access to a specific action/transition.



Package Sidebar


npm i @trigo/atrix-acl

Weekly Downloads






Unpacked Size

65.3 MB

Total Files


Last publish


  • kelkes
  • mdulghier
  • trigo-admin