Skip to content
AccessControl

IEngine

Defined in: src/types/IAccessControlOptions.ts:61

Engine mechanics & security — how the library parses, validates and reports, independent of your authorization model. Constructor-only.

Compare with IPolicy (your domain’s authorization model) and context (the data conditions read). Rule of thumb: if it’s about the library’s behavior, it’s engine; if it’s about your domain, it’s policy; if a condition reads it with $., it’s context.

Properties

Section titled “Properties”

pathPrefix?

Section titled “pathPrefix?”

optional pathPrefix?: string

Defined in: src/types/IAccessControlOptions.ts:67

The notation path sentinel used in conditions. With the default '$', $.order.value is a path and foo is a literal. Set a different prefix (e.g. '@') when your data contains $.-leading literal strings.

allowRegex?

Section titled “allowRegex?”

optional allowRegex?: boolean

Defined in: src/types/IAccessControlOptions.ts:76

Whether the matches (regular-expression) condition operator is permitted. Default false — opt-in, because a regular expression from a grant store is a ReDoS (catastrophic-backtracking) surface. When enabled, patterns are still screened for the well-known catastrophic shapes, but that screen is a heuristic, not a linear-time guarantee — only enable it for trusted grant sources.

charset?

Section titled “charset?”

optional charset?: Charset

Defined in: src/types/IAccessControlOptions.ts:84

Allowed character set for consumer-supplied names (roles, resources, actions, groups, categories). Default Charset.ASCII. Use Charset.UNICODE for internationalized names — but note the homograph risk documented on that enum. Structural characters (/ : $ * !) and the reserved prototype keywords are always rejected regardless.

safeErrors?

Section titled “safeErrors?”

optional safeErrors?: boolean

Defined in: src/types/IAccessControlOptions.ts:92

When true (default), error messages omit caller-supplied values (names, the raw query/grant object) to avoid leaking request data into logs. The values remain available on the error’s structured fields (err.role/err.action/err.resource) and err.code. Set false to get verbose messages (… Got: "…".) during development.

errorCodePrefix?

Section titled “errorCodePrefix?”

optional errorCodePrefix?: string

Defined in: src/types/IAccessControlOptions.ts:100

Optional string prepended to every AccessControlError code (default ''). Use it to namespace AC codes against your own — e.g. 'AC_' makes err.code === 'AC_ROLE_NOT_FOUND'. Note: with a prefix set, compare against the prefixed value (err.code === 'AC_' + ErrorCode.ROLE_NOT_FOUND), since the bare-enum comparison no longer matches.