warrant VS wasp

Warrant — Hosted enterprise-grade authorization and access control service for your apps. The free tier includes 1 million monthly API requests and 1,000 authz rules.

The specific challenge with authz in the app layer is that different apps can have different access models with varying complexity, especially the more granular you get (e.g. implementing fine grained access to specific objects/resources - like Google Docs).

Personally, I think a rebac (relationship/graph based) approach works best for apps because permissions in applications are mostly relational and/or hierarchical (levels of groups). There are authz systems out there such as Warrant https://warrant.dev/ (I'm a founder) in which you can define a custom access model as a schema and enforce it in your app.

Let's use warrant.dev as an example. The system provides a set of REST APIs for you to define object types and access policies (called warrants). The general process is first to create object types using HTTP POST:

https://warrant.dev/ (Provider) Relatively new authZ provider, they have a dashboard where you can manage your rules in a central location and then use them from multiple languages via their SDKs, even on the client to perform UI checks. Rules can also be managed programmatically via SDK.

I would describe this debate more as Policy-as-Data (Zanzibar) vs Policy-as-Code (OPA et al).

In Zanzibar, all of the information required to make an authorization decision (namespaces, relationship tuples, etc.) is stored in Zanzibar, and the decision engine resolves access checks based on this data. This data can be scaled horizontally (and consistently) as needed for an application’s needs. This makes Zanzibar a centralized, unified solution for all of an application’s authorization needs. I’ve found this approach more purpose built / well suited for application authorization.

With OPA and other policy engines, the data required for performing access checks lives somewhere else (maybe the application’s database) and must be separately queried and included as part of the authorization check because OPA et al. are stateless decision engines. This makes it such that you need to piece together data from different sources in order to get your final decision, which IMO is something most developers don’t want to deal with.

On the flip side, Zanzibar’s “namespaces” are a very simple policy layer not well suited to querying against data outside of Zanzibar’s scope (e.g. geolocation, time, etc). For scenarios like this, a full fledged policy-as-code solution is great. However, it should be noted that some open source Zanzibar implementations like Warrant[1] and SpiceDB[2] (mentioned in the article) also offer a policy-as-code layer on top of Zanzibar’s graph-based/ReBAC approach to tackle these scenarios.

Disclaimer, I’m one of the founders of Warrant.

[1] https://github.com/warrant-dev/warrant

[2] https://github.com/authzed/spicedb

Hey HN, I recently shared my thoughts on why Google Zanzibar is a great solution for implementing authorization[1] and why we decided to build Warrant’s core authz service using key concepts from the Zanzibar paper. As I mentioned in the post, we recently open sourced the authz service powering our managed cloud service, Warrant Cloud[2], so I thought I’d share it with everyone here. Cheers!

[1] https://news.ycombinator.com/item?id=36470943

[2] https://warrant.dev/

More than two years after choosing to build Warrant atop Zanzibar’s core principles, we’re extremely happy with our decision. Doing so gave us a solid technical foundation on which to tackle the various complex authorization challenges companies face today. As we continue to encounter new scenarios and use cases, we’ll keep iterating on Warrant to ensure it’s the most capable authorization service. To share what we learn and what we build with the developer community, we recently open-sourced the core authorization engine that powers our fully managed authorization platform, Warrant Cloud. If you’re interested in authorization (or Zanzibar), check it out and give it a star!

We used Wasp’s built-in auth which makes your auth totally yours and independent of any 3rd party service. Under the hood, it uses Lucia and Arctic to give you email, username and multiple OAuth providers out of the box.

Wasp (https://github.com/wasp-lang/wasp) has actually worked out quite well! It just crossed 10k stars on GitHub and is currently the fastest-growing full-stack framework for React & Node.js. It's being used in both startups and enterprises.

Although Wasp has its own DSL/compiler, the secret to its adoption is probably that it works with the existing stack, like React & Node.js. From the developer's perspective, it feels like a framework; the "compiler" part is just what gives it its superpowers.

Another example of a React framework utilizing Vite to give their users a SPA experience is Wasp - a full-stack framework for React & Node.js that drastically cuts the boilerplate. Despite being a full-stack framework, it focuses on the standardized approach of deploying a client-side React app with a Node.js server to be as portable as possible. With this approach, you can deploy your app pretty much anywhere, as well as self-host it, which is also a thing that we mentioned before in this article.

As before, you will be redirected to the application's login page. Click to link to sign up to create a new account. After authenticating, you will be able to access the todo list functionality as before. ## Conclusion In this guide, we demonstrated how to build and deploy a Wasp application to Koyeb. We started with one of Wasp's templates to create a working, full-stack web application backed by a database. We migrated the application's configuration from a local SQLite database to an external PostgreSQL database to prepare for deployment. Afterwards, we created a multi-stage `Dockerfile` to build and configure our various application layers. Finally, we deployed the backend and web app to Koyeb by targeting different stages in the `Dockerfile`. This tutorial covers the basics of how to manage a Wasp project and deploy to a production environment. As you continue to develop your projects, be sure to check out the [Wasp documentation](https://wasp-lang.dev/docs) to learn how to integrate new features, work with the data model, and leverage the development framework to make your life easier.

First off, Wasp is a full-stack React, NodeJS, and Prisma framework with superpowers. It just crossed 10,000 stars on GitHub, and it has been used to create over 50,000 projects.

When building AI Blog Articles, I decided to get started as fast as possible. So I looked for a free boilerplate and stumbled upon Open SaaS, which used YC-backed Wasp. It is a full-stack React + NodeJS + Prisma that takes 8 hours to get started with.

Exactly. Wasp, https://wasp-lang.dev, is the only framework in the React/Node/Prisma space that's taking this opinionated approach to full-stack development.

For example, you get full-stack auth by just adding this to your config file:

`auth.methods: { email: {}, google: {} }`

Then you on-the-fly Auth UI components and all the necessary hooks

If you already have some sort of foundation in programming, use AI and some great abstractions/frameworks to get things done even faster. For example, instead of creating everything from the ground up (and probably suffering on little things along the way) you can skip repeating yourself a ton of times by using Wasp, which is a great React/Node full-stack framework that takes care of managing the boilerplate side of programming for you. 🤯

Aider is one of my favorite AI agents, especially because it can work with existing codebases. We've seen a lot of good results from folks who used it with Wasp (https://github.com/wasp-lang/wasp) - a full-stack web framework I'm working on.

A "marketingy" demo video: https://www.youtube.com/watch?v=DXunbNBpgZg&ab_channel=Wasp