Missing type-checking in classes with protected constructor

[yodosan]

Describe the bug
Hello, I'm trying to set up CASL with NestJS and get full TypeScript support defining each ability (actions, subjects, fields, conditions) but something is missing.
My classes have the constructor protected, which CASL doesn't seem to like very much; however, I think I found an acceptable trade-off (if somewhat verbose).

This is what I've done so far:

class UserEntity {
  protected constructor(
    readonly id: string,
    readonly name: string,
    readonly createdBy: Date
  ) {}

  static create(id: string, name: string) {
    return new UserEntity(id, name, new Date())
  }
}

type Actions = 'create' | 'read' | 'update' | 'delete'

type User = UserEntity & TaggedInterface<'UserEntity'>
type Subjects = InferSubjects<User> | 'all'
type AppAbility = PureAbility<[Actions, Subjects]>

@Injectable()
export class CASLAbilityFactory {
  createForUser() {
    const { can, build } = new AbilityBuilder<AppAbility>(PureAbility)

    can<User>('create', 'UserEntity')

    return build()
  }
}

Now, the action, the subject, and the fields are correctly checked, but for some reason, it can be done for the properties; as we can see there is no type-checking:

Is CASL doing something wrong or is it me?

CASL Version

@casl/ability: 6.7.2

Environment:
TypeScript: 5.6.3
NodeJS: 22

[serhiistotskyi]

This is actually how types work in TS. You can read this answer on SO -> https://stackoverflow.com/questions/66599065/typescript-abstract-static-factory-with-protected-constructor#answer-70118566

The issue is that there is no other way to check that Function is actually a class -> https://www.typescriptlang.org/play/?#code/MYGwhgzhAEAqCmEAu0DeBYAUNaAHATgPZLzAkAm0whAdsvgK5mH4AU+8Y5tIAntAEtyALmj0BNAOYBKNAF8sCzFiS9c8OGo0BeaDXgB3aKwB0ZsPkkRRYGrwDaAXVnaAfNFv8VWzeoAi8ABm0Lqm5pbWHnZOLu6e0ABkaHhESMRaNnbQSt7qvvAAkhAAcsQAggDC4FAh0KrqhMEIyNDwAB4kNOQwsD4A-HWMGqKBYCAQ8LkaAEIMSAVIABKQAAqp6eoA8jQLtfXwjXCIKO2d3ckExBvw

I obviously can check that object has prototype on it but then any object can actually be passed, even not a function. I also can check.

So, this is not something what I plan to address immediately. You can just remove protected from constructor and mark it with JSDoc as @deprecated to make it crossed in IDE

[yodosan]

Hi @serhiistotskyi, thanks for your reply.
I will not remove the protected attribute on constructors, this is an architectural choice made on the entire code base.

The issue is that there is no other way to check that Function is actually a class -> https://www.typescriptlang.org/play/?#code/MYGwhgzhAEAqCmEAu0DeBYAUNaAHATgPZLzAkAm0whAdsvgK5mH4AU+8Y5tIAntAEtyALmj0BNAOYBKNAF8sCzFiS9c8OGo0BeaDXgB3aKwB0ZsPkkRRYGrwDaAXVnaAfNFv8VWzeoAi8ABm0Lqm5pbWHnZOLu6e0ABkaHhESMRaNnbQSt7qvvAAkhAAcsQAggDC4FAh0KrqhMEIyNDwAB4kNOQwsD4A-HWMGqKBYCAQ8LkaAEIMSAVIABKQAAqp6eoA8jQLtfXwjXCIKO2d3ckExBvw

Unfortunately, the editor linked is empty.

However, I found a solution that can be handy if someone else has the same need.

Something like that:

class UserEntity {
  protected constructor(
    readonly id: string,
    readonly name: string,
    readonly createdBy: Date
  ) {}

  static create(id: string, name: string) {
    return new UserEntity(id, name, new Date())
  }
}

type Action = 'create' | 'read' | 'update' | 'delete'
type User = UserEntity & TaggedInterface<'UserEntity'>
type Subject = InferSubjects<User> | 'all'

@Injectable()
export class CASLAbilityFactory {
  createForUser() {
    const { can, build } = new AbilityBuilder<PureAbility<[Action, Subject], MatchConditions>>(
      PureAbility<[Action, Subject], MatchConditions>
    )

    can('create', 'UserEntity', ['name'], ({ id }) => id === '1')

    return build({
      conditionsMatcher: (matchConditions: MatchConditions) => matchConditions,
      fieldMatcher: fields => field => fields.includes(field),
    })
  }
}

In this way, it's possible to define conditions with the help of TypeScript:

What's your opinion? Do you see any drawbacks?

[stalniy]

In this case you do not need to use TaggedInterface, it relies on additional property which tell type of object to casl. So, the potential issue may be on calling side. because casl will expect you to pass TaggedInterface<'UserEntity'> & UserEntity but in your code you will have only UserEntity instance. This can be solved though by adding kind property on UserEntity which = to "UserEntity"

[stalniy]

casl also supports mongoose like specification for custom types. So, the entity can be defined with custom static modelName property:

class UserEntity {
  static readonly modelName = 'UserEntity' // <-------- this one

  protected constructor(
    readonly id: string,
    readonly name: string,
    readonly createdBy: Date
  ) {}

  static create(id: string, name: string) {
    return new UserEntity(id, name, new Date())
  }
}

Which tells casl how to deal with it. This probably would be the best way to go but currently it's not fully supported because in types I always expected that modelName is specified on class (everything what can be used with new). Classes with protected/private constructor are not newable (we can't use new operator to create instance of one) and as a result all type checks for class won't work.

Probably it's time to revisit those casl types