Skip to content

JavaScript expression parsing and evaluation, maintained by Casbin team. A hard fork from the unmaintained: https://github.com/donmccurdy/expression-eval

License

Notifications You must be signed in to change notification settings

node-casbin/expression-eval

Repository files navigation

expression-eval

NPM version NPM download ci Coverage Status Discord

JavaScript expression parsing and evaluation.

Powered by jsep.

Installation

Install:

npm install --save @casbin/expression-eval

Import:

// ES6
import { parse, eval } from '@casbin/expression-eval';
// CommonJS
const { parse, eval } = require('@casbin/expression-eval');
// UMD / standalone script
const { parse, eval } = window['@casbin/expression-eval'];

API

Parsing

import { parse } from '@casbin/expression-eval';
const ast = parse('1 + foo');

The result of the parse is an AST (abstract syntax tree), like:

{
  "type": "BinaryExpression",
  "operator": "+",
  "left": {
    "type": "Literal",
    "value": 1,
    "raw": "1"
  },
  "right": {
    "type": "Identifier",
    "name": "foo"
  }
}

Evaluation

import { parse, eval } from '@casbin/expression-eval';
const ast = parse('a + b / c'); // abstract syntax tree (AST)
const value = eval(ast, {a: 2, b: 2, c: 5}); // 2.4

Alternatively, use evalAsync for asynchronous evaluation.

Compilation

import { compile } from '@casbin/expression-eval';
const fn = compile('foo.bar + 10');
fn({foo: {bar: 'baz'}}); // 'baz10'

Alternatively, use compileAsync for asynchronous compilation.

Security

Although this package does avoid the use of eval(), it cannot guarantee that user-provided expressions, or user-provided inputs to evaluation, will not modify the state or behavior of your application. This library does not attempt to provide a secure sandbox for evaluation. Evaluation of arbitrary user inputs (expressions or values) may lead to unsafe behavior. If your project requires a secure sandbox, consider alternatives such as vm2.

License

Apache 2.0 License.