The latest articles on DEV Community by Diyor Umarkulov (@diyorumarkulov). https://dev.to/diyorumarkulov https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1866729%2F92c0f529-bcb2-477e-9ddc-039b3bec8e13.jpeg https://dev.to/diyorumarkulov en Diyor Umarkulov Sat, 02 Aug 2025 09:02:57 +0000 https://dev.to/diyorumarkulov/tired-of-bloated-acls-meet-scode-acl-a-minimal-schema-driven-token-friendly-access-control-2h73 https://dev.to/diyorumarkulov/tired-of-bloated-acls-meet-scode-acl-a-minimal-schema-driven-token-friendly-access-control-2h73 <blockquote> <p><em>“Permissions shouldn't feel like building a nuclear reactor.”</em><br><br> — Every developer buried in JSON access trees</p> </blockquote> <h2> 🔥 What's the problem? </h2> <p>In every project with users, roles, and permissions, you eventually hit something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"profile"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"read"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"edit"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"change"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"order"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"delivery"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cancel"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>😵‍💫 Massive, nested JSON<br><br> 🤯 Redundant data (false/null/undefined)<br><br> 🧩 Pain to store in JWTs, sessions, or URLs<br><br> 🧨 Breaks when schema changes</p> <h2> 🚀 Enter <code>scode-acl</code> </h2> <p><code>scode-acl</code> (Structured Compressed ACL) is a <strong>schema-driven, ultra-compact access control tool</strong> built with TypeScript. It compresses permission data into string-encoded indexes like <code>"0 3 7"</code>, verifiable by schema hash.</p> <h3> 🛡 Core ideas: </h3> <ul> <li><p>✅ Schema → dot paths → compressed string</p></li> <li><p>✅ Only stores <code>true</code> permissions</p></li> <li><p>✅ Validates schema with <code>crc32</code> or <code>sha256</code></p></li> <li><p>✅ Works great in JWTs, cookies, URLs, mobile apps</p></li> <li><p>✅ Full access check API</p></li> </ul> <h2> ⚙️ Flat Mode Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createFlatSCode</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">scode-acl</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">profile</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">update</span><span class="dl">"</span><span class="p">],</span> <span class="na">settings</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">change</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="na">order</span><span class="p">:</span> <span class="p">{</span> <span class="na">delivery</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">cancel</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">access</span> <span class="o">=</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">profile</span><span class="p">:</span> <span class="p">{</span> <span class="na">read</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">settings</span><span class="p">:</span> <span class="p">{</span> <span class="na">change</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">},</span> <span class="na">order</span><span class="p">:</span> <span class="p">{</span> <span class="na">delivery</span><span class="p">:</span> <span class="p">{</span> <span class="na">cancel</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">formatter</span> <span class="o">=</span> <span class="nf">createFlatSCode</span><span class="p">(</span><span class="nx">schema</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">access</span><span class="p">:</span> <span class="nx">accessString</span><span class="p">,</span> <span class="nx">schemaHash</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">formatter</span><span class="p">.</span><span class="nf">encodeAccess</span><span class="p">(</span><span class="nx">access</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">accessString</span><span class="p">);</span> <span class="c1">// → "0 3 5"</span> </code></pre> </div> <h3> 🔍 Parse access string </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">formatter</span><span class="p">.</span><span class="nf">parseAccess</span><span class="p">(</span><span class="nx">accessString</span><span class="p">,</span> <span class="nx">schemaHash</span><span class="p">);</span> <span class="c1">// → ['user.profile.read', 'user.settings.change', 'order.delivery.cancel']</span> </code></pre> </div> <h3> ✅ Check a permission </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">formatter</span><span class="p">.</span><span class="nf">hasAccess</span><span class="p">(</span><span class="dl">"</span><span class="s2">user.profile.read</span><span class="dl">"</span><span class="p">,</span> <span class="nx">accessString</span><span class="p">);</span> <span class="c1">// → true</span> </code></pre> </div> <h2> ⚡ Performance Comparison </h2> <p>Format</p> <p>Encode Time</p> <p>Size (30+ permissions)</p> <p>JSON</p> <p>~8ms</p> <p>~300 bytes</p> <p><code>scode-acl</code></p> <p>~1.2ms</p> <p>~16–28 bytes</p> <p>It’s basically <strong>JWT-safe</strong> and <strong>sessionStorage-ready</strong>.</p> <h2> 🔌 Use Cases </h2> <ul> <li><p>✅ <strong>JWT tokens</strong> — fits easily in payload</p></li> <li><p>✅ <strong>GraphQL/REST auth guards</strong></p></li> <li><p>✅ <strong>Admin panels</strong> — cleaner than boolean spaghetti</p></li> <li><p>✅ <strong>Mobile/web apps</strong> — tiny access footprint</p></li> <li><p>✅ <strong>Firebase custom claims / access tokens</strong></p></li> </ul> <h2> 🔮 Why is it useful? </h2> <ul> <li><p>Only <code>true</code> permissions are stored</p></li> <li><p>Schema hash ensures backward compatibility</p></li> <li><p>Tiny strings — easier to debug than full JSON</p></li> <li><p>Supports <strong>Flat</strong> and <strong>Nested</strong> encoding</p></li> <li><p>100% TypeScript — type-safe, fast, and portable</p></li> </ul> <h2> 🛠 Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>scode-acl </code></pre> </div> <h2> 🛣 Roadmap </h2> <ul> <li><p>Wildcard permissions (<code>user.profile.*</code>)</p></li> <li><p>Role groups (<code>admin</code>, <code>viewer</code>)</p></li> <li><p>GUI schema editor (Web playground)</p></li> <li><p>Schema → TS type generator</p></li> </ul> <h2> 🔗 Links </h2> <ul> <li><p>🧠 <a href="https://github.com/DiyorUmarkulov/scode-acl" rel="noopener noreferrer">GitHub Repo</a></p></li> <li><p>📦 <a href="https://www.npmjs.com/package/scode-acl" rel="noopener noreferrer">NPM Package</a></p></li> <li><p>🤝 Maintainer: <a href="https://linkedin.com/in/diyor-dev" rel="noopener noreferrer">@diyor-dev on LinkedIn</a></p></li> </ul> <h2> 🧠 Final thoughts </h2> <p>Most ACL systems are heavy, bloated, or overcomplicated.<br><br> <code>scode-acl</code> is a minimalistic alternative designed to be:</p> <blockquote> <p>🧩 Small enough to fit in a token.<br><br> 🔍 Clear enough to read as a dot path.<br><br> 🧠 Smart enough to validate itself.</p> </blockquote> <p>If you're building systems that deal with <strong>auth, access control, roles, or modular UIs</strong> — try <code>scode-acl</code>.<br><br> Use it, fork it, improve it.</p> <p>And if you’ve been burned by ACL complexity before —<br><br> you’ll probably find this <em>very refreshing</em>.</p> security backend saas performance