ZenStack is a toolkit that simplifies the development of a web app's backend. It supercharges Prisma ORM with a powerful access control layer and unleashes its full potential for web development.
Our goal is to let you save time writing boilerplate code and focus on building real features!
ZenStack extended Prisma schema language for supporting custom attributes and functions and, based on that, implemented a flexible access control layer around Prisma.
// schema.zmodel
model Post {
id String @id
title String
published Boolean @default(false)
author User @relation(fields: [authorId], references: [id])
authorId String
// 🔐 allow logged-in users to read published posts
@@allow('read', auth() != null && published)
// 🔐 allow full CRUD by author
@@allow('all', author == auth())
}
At runtime, transparent proxies are created around Prisma clients for intercepting queries and mutations to enforce access policies. Moreover, framework integration packages help you wrap an access-control-enabled Prisma client into backend APIs that can be safely called from the frontend.
// Next.js example: pages/api/model/[...path].ts
import { requestHandler } from '@zenstackhq/next';
import { withPolicy } from '@zenstackhq/runtime';
import { getSessionUser } from '@lib/auth';
import { prisma } from '@lib/db';
export default requestHandler({
getPrisma: (req, res) => withPolicy(prisma, { user: getSessionUser(req, res) }),
});
Plugins can generate strong-typed client libraries that talk to the APIs:
// React example: components/MyPosts.tsx
import { usePost } from '@lib/hooks';
const MyPosts = () => {
// Post CRUD hooks
const { findMany } = usePost();
// list all posts that're visible to the current user, together with their authors
const { data: posts } = findMany({
include: { author: true },
orderBy: { createdAt: 'desc' },
});
return (
<ul>
{posts?.map((post) => (
<li key={post.id}>
{post.title} by {post.author.name}
</li>
))}
</ul>
);
};
- Access control and data validation rules right inside your Prisma schema
- Auto-generated RESTful API and client library
- End-to-end type safety
- Extensible: custom attributes, functions, and a plugin system
- Framework agnostic
- Uncompromised performance
Check out the Collaborative Todo App for a running example. You can find the source code below:
Join our discord server for chat and updates!