Skip to content
Nexical Ecosystem

Security & Auth

Nexical employs a “Defense in Depth” strategy using Chained Middleware and Policy-Based Access Control.

Middleware Pipeline

Section titled “Middleware Pipeline”

The src/middleware.ts file acts as a host. It discovers middleware exports from all modules and chains them.

modules/auth/src/middleware.ts
export default {
  // Bypass auth for these routes
  publicRoutes: ['/login', '/register'],


  onRequest: async (context, next) => {
    // Validation logic
    return next();
  },
};

Role-Based Access Control (RBAC)

Section titled “Role-Based Access Control (RBAC)”

Basic role checks are handled via ApiGuard or context.locals.actor.

if (actor.role !== 'ADMIN') throw new Error('Forbidden');

Attribute-Based Access Control (ABAC)

Section titled “Attribute-Based Access Control (ABAC)”

For finer granularity (e.g., “Can this user edit this specific team?”), use the RoleRegistry.

await roleRegistry.check('team.owner', context, { teamId });