Skip to content
Air Framework

Permissions & Security

Air Framework provides a robust security layer designed to manage interactions between modules, especially useful in enterprise environments.

Permission System

Section titled “Permission System”

The framework uses a declarative permission system. Each module can declare what actions it is allowed to perform.

1. Define Permissions

Section titled “1. Define Permissions”
const authPermissions = ModulePermissions([
  ScopedPermission(Permission.dataRead),
  ScopedPermission(Permission.dataWrite, 'user.*'),
  ScopedPermission(Permission.serviceCall, 'auth.*'),
]);


PermissionChecker().registerModule('auth', authPermissions);

2. Enforcement Modes

Section titled “2. Enforcement Modes”
  • Debug Mode (Default): Permission violations only log a Yellow Warning to the console but allow the action to proceed. This ensures fast development.
  • Strict Mode: Violations throw a SecurityException. Enable this in production: 
    PermissionChecker().enable(); // Enable strict enforcement

Secure Service Registry

Section titled “Secure Service Registry”

Instead of registering services directly in the DI, you can use the SecureServiceRegistry to restrict who can call your services.

SecureServiceRegistry().registerService(
  name: 'payments.process',
  ownerModuleId: 'payments',
  service: (amount) => _process(amount),
  allowedCallers: ['checkout'], // Only 'checkout' module can call this
);

Secure Data with TTL

Section titled “Secure Data with TTL”

You can store shared data that automatically expires after a certain time.

SecureServiceRegistry().setSecureData<String>(
  'auth.token',
  'jwt-content',
  callerModuleId: 'auth',
  ttl: Duration(hours: 2),
);