How We Scaled from 10 to 750+ Permissions Without Writing a Single Middleware Function | Metaprogramming

This thread is about auto Generating Semantic role based access control middleware  using Metaprogramming.

Metaprogramming is code that writes or manipulates other code.

When building a scalable API, Role-Based Access Control (RBAC) usually starts simple. You have a few permissions, a check function, and life is good.

// The "Good Old Days"
app.get('/orders', {
  preHandler: [ensurePermission('orders:read')],
  handler: getOrders
});

But as an application grows, so does the complexity.

In a typical Enterprise SaaS platform, you might have dozens of modules (Inventory, Billing, CRM, User Management) and hundreds of distinct permissions.

Suddenly, simple string-based checks become a liability.

Magic String Hell: 

Was it order:read or orders:read?

The compiler won't tell you until runtime (or worse, production).

Discovery Issues: 

How does a new engineer know which permissions exist?

They have to hunt through massive configuration files.

Refactoring Nightmares:

 Renaming a resource means finding and replacing strings across the entire codebase.

We needed a solution that gave us the flexibility of granular permissions with the safety and developer joy of modern TypeScript.

We solved it with a pinch of metaprogramming.

Here is how we auto-generated type-safe semantic middleware methods without writing a single line of boilerplate.

1. The Source of Truth: Structured Constants

Organize permissions into a structured, nested hierarchy.

Instead of a flat list, we define a master PERMISSIONS object that groups everything by domain.

We can use a helper to standardize CRUD actions

1. read
2. create
3. update
4. delete

// permissions.ts
export const PERMISSIONS = {
  // Inventory Module
  INVENTORY: {
    READ: 'inventory.items:read',
    CREATE: 'inventory.items:create',
    UPDATE: 'inventory.items:update',
    DELETE: 'inventory.items:delete',
  },
  // Orders Module
  ORDERS: {
    READ: 'sales.orders:read',
    APPROVE: 'sales.orders:approve',
    CANCEL: 'sales.orders:cancel',
  }
} as const;

This gives us a Single Source of Truth, but we are still passing strings to our middleware.

2. The Generator: Turning Strings into Methods

We want our API routes to read like English sentences. Instead of ensurePermission('sales.orders:approve'), we want ensureCanApproveOrders.

Writing hundreds of these wrapper functions manually is tedious and error-prone.

Instead, we can write a Semantic Method Generator.

The logic is simple:

1. Iterate over the PERMISSIONS object.
2. Parse the permission string, find action & resource.
3. Construct a function name: ensureCan + Action + Resource.
4. Generate a closure that calls the underlying generic middleware.

Here is the simplified concept:

1. Parse: 'sales.orders:approve' -> action='approve', resource='orders'
2. Format: ensureCan + Approve + Orders
3. Generate: Create the middleware function dynamically.

// method.generator.ts
function generateSemanticMethods(permissions) {
  const methods = {};

// Walk through every permission group
Object.values(permissions).forEach((group) => {
  Object.entries(group).forEach(([action, permissionString])  

const resourceName = getResourceName(permissionString); 

const methodName = `ensureCan${capitalize(action)}${capitalize(resourceName)}`;

methods[methodName] = (request, reply) => {
 return ensureExactPermission(permissionString)(request,reply);
};
 
  return methods;
}

The Result: A Developer Experience Upgrade

Before

app.post('/orders/:id/approve', {
  preHandler: [
    ensureAuthentication,
    // Hope you didn't make a typo!
    // And is it 'orders:approve' or 'sales.orders:approve'?
    ensureExactPermission('sales.orders:approve') 
  ],
  handler: approveOrder
});

After

Now, we have full Intellisense support. A developer types app.ensureCan and their IDE immediately lists every valid action in the system.

app.post('/orders/:id/approve', {
  preHandler: [
    app.ensureAuthentication,
    // Full autocomplete + Type safety + Descriptive names
    app.ensureCanApproveOrders 
  ],
  handler: approveOrder
});

Why This Matters

1. Zero Boilerplate: We write the generation logic once (~50 lines).
2. Scalability - Add 100 new resources? Zero manual code.
3. Eliminates Magic Strings - No more typos, no more order:read vs orders:read bugs
4. Self-Documenting Code - ensureCanApproveOrders is instantly readable vs cryptic strings
5. Consistency - Every permission follows the exact same pattern and naming convention
6. Easier Code Reviews: Reviewers can understand intent at a glance
7. Reduced Cognitive Load Developers don't memorize strings, they just read semantic method names

As we add new modules (like Billing or Analytics), the corresponding middleware methods appear automatically.

Metaprogramming is a tool that should be used sparingly, but when applied to infrastructure code.

1. like generating strict interfaces from configuration.
2. it dramatically boosts team velocity and safety.

Fifty lines of generation code replaced thousands of lines of boilerplate and eliminated an entire class of production bugs.

That's the leverage good architecture provides.

#TypeScript #Nodejs #Fastify #Engineering #DesignPatterns