Authorization Model: Where did Casbin go?

[L-U-C-K-Y]

Hi all

Found this project and was reading through the readme and repo.

I noticed that the readme says that Casbin is used for authorization, but I cannot find any reference in the code.
Has it been removed again?

If yes, could I ask for the reasoning behind it, have you found a more suitable option?

Thanks!

[hsluoyz]

@L-U-C-K-Y I think it has gone after this V3 PR: #1475

[AnandChowdhary]

Thanks for opening this issue, @L-U-C-K-Y! Yes, until v3, we were using Casbin to manage permission, but now we're doing everything using scopes in v4. I find this much simpler because scope can have wildcards and you can have as many or as little associated with a user or API key.

For example, if a user (with user ID 10, for example) has the scope user-10:delete, this user can delete itself. If you're an admin, you might have the scope user-*:delete, meaning that you can delete all users, or user-*:*, meaning that you can do anything to users, or even *.

The default scope are available at https://github.com/staart/api/blob/v4.0.2/src/helpers/scopes.ts.

[L-U-C-K-Y]

Thanks @AnandChowdhary for elaborating!

[hsluoyz]

Hi @AnandChowdhary

For example, if a user (with user ID 10, for example) has the scope user-10:delete, this user can delete itself. If you're an admin, you might have the scope user-:delete, meaning that you can delete all users, or user-:*, meaning that you can do anything to users, or even *.

I think the wildcards can also be supported by Casbin via the keyMatch() and regexMatch() functions: https://casbin.org/docs/en/function#functions-in-matchers