Working with JavaScript Types
Oso’s Node.js authorization library allows you to write policy rules over JavaScript types directly. This document explains how different types of JavaScript values can be used in Oso policies.
More detailed examples of working with application objects can be found in our Guides.
Objects
You can pass any JavaScript object into Oso and access its properties from your policy (see Application Types).
Class Instances
Any new-able JavaScript object (including ES6-style classes) can be
constructed from inside an Oso policy using Polar’s
new
operator if the constructor (a class or function that
responds to JavaScript’s
new operator) has been registered
using the oso.registerClass() method. An example of this can be found
here.
Numbers and Booleans
Polar supports integer and floating point real numbers, as well as booleans (see Primitive Types).
Strings
JavaScript strings are mapped to Polar strings. JavaScript’s string methods may be called in policies:
allow(actor, _action, _resource) if actor.username.endsWith("example.com");
class User {
constructor(username) {
this.username = username;
}
}
const user = new User("alice@example.com");
oso.isAllowed(user, "foo", "bar").then(assert);
Polar does not support methods that mutate strings in place.
Lists
JavaScript Arrays are mapped to Polar lists. JavaScript’s Array methods may be called in policies:
allow(actor, _action, _resource) if actor.groups.includes("HR");
class User {
constructor(groups) {
this.groups = groups;
}
}
const user = new User(["HR", "payroll"]);
oso.isAllowed(user, "foo", "bar").then(assert);
Polar does not support methods that mutate lists in place unless the list is also returned from the method.
Likewise, lists constructed in Polar may be passed into JavaScript methods:
allow(actor, _action, _resource) if actor.hasGroups(["HR", "payroll"]);
class User {
constructor(groups) {
this.groups = groups;
}
hasGroups(other) {
return other.every((group) => this.groups.includes(group));
}
}
const user = new User(["HR", "payroll"]);
oso.isAllowed(user, "foo", "bar").then(assert);
There is currently no syntax for random access to a list element within a
policy; i.e., there is no Polar equivalent of the JavaScript expression
user.groups[1]. To access the elements of a list, you may iterate over it
with
the in operator or destructure it
with
pattern matching.
Iterables
You may iterate over any synchronous or asynchronous) JavaScript iterables using Polar’s in operator:
allow(actor, _action, _resource) if "payroll" in actor.getGroups();
class User {
getGroups() {
return ["HR", "payroll"];
}
}
const user = new User();
oso.isAllowed(user, "foo", "bar").then(assert);
Promises
Oso will await any
Promise and then use the resolved value
during evaluation of a policy.
null
The JavaScript null value is registered as the Polar constant
nil. If a JavaScript function can
return null, you may want to compare the result to nil:
allow(actor, _action, _resource) if actor.getOptional() != nil;
class User {
getOptional() {
return someCondition() ? someThing : null;
}
}
JavaScript → Polar Types Summary
| JavaScript type | Polar type |
|---|---|
number (integer) |
Integer |
number (float) |
Float |
boolean |
Boolean |
Array |
List |
string |
String |
Connect with us on Slack
If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.