Skip to main content


You can use EzRules to prevent unauthorized packets or HTTP requests from returning data to malicious users.

Setting a Rule

Each EzModel has EzRules which can be set with the following syntax

model.rules.for(RuleType.CREATE).check((req,event) => {
if (/** Your Condition here */) throw Boom.unauthorized()

In the rule, to prevent further execution of the code (e.g a HTTP reply being sent or a packet being sent), you need to throw an error.

Available Rule Types

You can add rules for multiple RuleTypes, for example:

).check((req, event) => {
if (/** Your Condition here */) throw Boom.unauthorized()

To prevent a user from receiving unauthorized packet updates, set the RuleType.READ property

How it works

EzRules works using async local storage in order to save requests contexts through the call stack.

Explanation Image

In the above example

  1. A HTTP Request is made
  2. A fastify preHandler sets req.user to Bob
  3. This req is saved in the context
  4. the HTTP Request handler calls foo()
  5. foo() results in a database read
  6. Entities are read from CashTransactions
  7. The entities are saved in the context
  8. Since there is a req context and a entity context, the rules are checked to see if Bob has permission to read the transaction