Access control

ℹ️

Although usable, access control is still a feature in development and the API is planned to expand from here. More information is on the roadmap (opens in a new tab).

Access control in Triplit occurs at the entity level. Although this is an improvement over membership/room based apis, access control does not extends to individual properties.

Typically a user's id is used to determine access. The user's id is accessible by providing a custom token to Triplit, as explained in the Auth guide.

Access control checks run exclusively on the server, and are not enforced on the client. This means that a user can still read and write to a document they do not have access to, but the server will reject the request.

Access control rules

Rules for access control are defined in the rules property of a schema. Both read and write rules are defined with a unique identifier, an optional description, and a filter. The filter is a filter clause that is appended any query for that collection.

import { Schema as S } from '@triplit/db';
const schema = {
  collections: {
    todos: {
      schema: S.Schema({
        id: S.Id(),
        author_id: S.String(),
        text: S.String(),
      }),
      rules: {
        read: {
          'author-is-user': {
            description: 'Users can only post todos they authored',
            filter: [['author_id', '=', '$SESSION_USER_ID']],
          },
        },
        write: {
          'author-is-user': {
            description: 'Users can only edit their own todos',
            filter: [['author_id', '=', '$SESSION_USER_ID']],
          },
        },
      },
    },
  },
};

$SESSION_USER_ID is a special variable injected by Triplit. It is the user id of the user that is authenticated with the current session.

Schemas Client options