Skip to main content

Vaden Security

VadenSecurity is a security module for the Vaden backend framework, built with Dart. It handles authentication and authorization with zero boilerplate, inspired by the power and simplicity of Spring Security.

It works by scanning your classes using a custom build system, enabling automatic configuration with just one line of code.

Getting Started​

  1. Add the dependency to your pubspec.yaml:
dependencies:
  vaden_security: any
  1. Register your module in the app_module:
@VadenModule([VadenSecurity])
class AppModule {}
  1. Create a Security Configuration class:
import 'package:vaden/vaden.dart';
import 'package:vaden_security/vaden_security.dart';

@Configuration()
class SecurityConfiguration {
  @Bean()
  PasswordEncoder passwordEncoder() {
    return BCryptPasswordEncoder(cost: 10);
  }

  @Bean()
  JwtService jwtService(ApplicationSettings settings) {
    return JwtService.withSettings(settings);
  }

  @Bean()
  HttpSecurity httpSecurity() {
    return HttpSecurity([
      RequestMatcher('/auth/**').permitAll(),
      RequestMatcher('/docs/**').permitAll(),
      AnyRequest().authenticated(),
    ]);
  }
}
  1. Add configurations to your application.yaml:
security:
  secret: AisuSijfdiflkDkldkeokdokDKodk
  tokenValidity: 3600
  refreshTokenValidity: 604800
  issuer: "vaden"
  audiences:
    - "vaden"
  1. Implements the UserDetailsService interface to load user details:
import 'package:vaden/vaden.dart';
import 'package:vaden_security/vaden_security.dart';

@Service()
class UserDetailsServiceImpl implements UserDetailsService {
  @override
  Future<UserDetails> loadUserByUsername(String username) async {
    ...
  }
}

Return a UserDetails object with the user information and roles.

We can retrieve the UserDetails in any @Controller() by using the @Context() in any handler:

@Post('/byUser')
List<Product> getProductsByUser(@Context() UserDetails user) {
  return productService.getProductsByUser(user);
}

HttpSecurity​

The HttpSecurity class defines a list of rules for your API endpoints, similar to the behavior found in Spring Security. Each rule is defined using a RequestMatcher, which supports path globbing and HTTP method filtering.

RequestMatcher('/admin/**', HttpMethod.get).hasRole('admin');

The matcher supports the following security actions:

MethodDescription
permitAll()Allows any request (no authentication)
denyAll()Blocks all requests
authenticated()Requires a valid authentication token
hasRole('role')Requires the user to have a specific role
hasAnyRole(['r1', 'r2'])Requires at least one role from a list

πŸ”§ Example​

@Bean()
HttpSecurity httpSecurity() {
  return HttpSecurity([
    // Public access to auth and docs
    RequestMatcher('/auth/**').permitAll(),
    RequestMatcher('/docs/**').permitAll(),

    // Allow only GET to "/public"
    RequestMatcher('/public', HttpMethod.get).permitAll(),

    // Restrict DELETE on /admin/** to "admin" role
    RequestMatcher('/admin/**', HttpMethod.delete).hasRole('admin'),

    // Secure everything else
    AnyRequest().authenticated(),
  ]);
}

Glob Support​

The path parameter accepts Glob patterns. Examples:

  • /api/** β†’ matches everything under /api/
  • /users/*.json β†’ matches all .json files in /users/

Roadmap​

β€’ βœ… JWT Support
β€’ πŸ”œ OAuth2 / OpenID Providers
β€’ πŸ”œ RBAC / Fine-grained policies
β€’ πŸ”œ Session-based auth (Cookie)
β€’ πŸ”œ Multi-tenancy support