Security and access control
Squid provides powerful authorization features to help you control access to your different entities, including AI agents, databases, backend functions, and APIs. This allows you to protect your data and ensure that only authorized users can perform certain actions.
Squid's access control is managed in the Squid backend using TypeScript functions. To mark a function as pertaining to access control, you apply one or more decorators, which are labels that start with an @
. For example, the following function uses the @secureDatabase
decorator to ensure only authenticated users have access to the build-in database:
@secureDatabase('all', 'built_in_db') // Decorator marks function as securing a database
allowAccessToBuiltInDb(): boolean {
return this.isAuthenticated();
}
Using Squid decorators and the Squid Backend SDK, you can restrict access to your entities based on various criteria such as user roles and permissions.
If a client attempts to access a secured entity but the authorization function returns false
, indicating that the user
is not authorized, the client will receive an Error
with the following details
{
"statusCode": 401,
"message": "UNAUTHORIZED"
}
For example, the following code ensures only the specified user can read their record in a collection called users
:
import {
secureCollection,
SquidService,
QueryContext,
} from '@squidcloud/backend';
type User = { id: string; email: string; age: number };
export class ExampleService extends SquidService {
@secureCollection('users', 'read')
secureUsersRead(context: QueryContext<User>): boolean {
const userAuth = this.getUserAuth();
if (!userAuth) {
return false;
}
const userId = userAuth.userId;
return context.isSubqueryOf('id', '==', userId);
}
}
Based on this security functionality, a client who attempts to run the following query will return an error because this function attempts to access multiple user records not belonging to the user:
// This function will throw an error
async function readAllUsers(squid: Squid): Promise<User[]> {
return await squid.collection<User>('users').query().snapshot();
}
Explore
To learn more about access controls for individual features, check out the following documentation:
Securing data access
Use a range of decorators provided by Squid to protect any database that is connected to Squid, including the built-in internal database.
Securing APIs
Use the @secureApi decorator to protect and manage access to an API integration.
Securing GraphQL
Use the @secureGraphQL decorator to protect access to your GraphQL integrations.
Securing distributed locks
Distributed locks manage access to shared resources to transact data in order. The @secureDistributedLock decorator secures locks.
Securing the Squid AI Agent
Use the @secureAiAgent decorator to designate a function as securing a given agent.
Securing storage buckets
The @secureStorage decorator which allows protects your storage buckets so only authorized users can access your files.
Securing Squid Queues
The @secureTopic decorator protect your Apache Kafka queues, ensuring that only authorized users can access your data stream messages.