Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Accessing jwt.claim.user_id as variable value in query #1986

Closed
ashokkumar88 opened this issue Mar 10, 2024 · 2 comments
Closed

Accessing jwt.claim.user_id as variable value in query #1986

ashokkumar88 opened this issue Mar 10, 2024 · 2 comments
Labels
❔ question

Comments

@ashokkumar88
Copy link

Summary

I want to fetch only the rows contain their respective user_id. In the condition i want to access the user_id from context. Like below without RLS

  orders(condition: {user_id: "jwt.claims.user_id"}) {
    nodes {
      id
      amount
    }
  }
}

Additional context
@DanielFGray
Copy link
Contributor

DanielFGray commented Mar 11, 2024
edited
Loading

without RLS

I hate to be the bearer of bad news but avoiding RLS is highly likely to make your app less secure and more complex

in a typical postgraphile app, the solution to this feature is usually a currentUser query which is defined by a few postgres functions

create function app_public.current_session_id() returns uuid as $$
  select nullif(pg_catalog.current_setting('jwt.claims.session_id', true), '')::uuid;
$$ language sql stable;

create function app_public.current_user() returns app_public.users as $$
  select users.* from app_public.users where id = app_public.current_user_id();
$$ language sql stable;

then assuming that orders has a foreign key to users you can access the current user's orders with a graphql query like

query {
  currentUser {
    orders {
      nodes {
        id
        amount
      }
    }
  }
}

@benjie
Copy link
Member

benjie commented Mar 11, 2024

^ This is the correct answer, thanks Daniel.

Basically: you use the graph-based nature of GraphQL to start at the current user, and then navigate from there to the related orders. You can add a field representing the current user via a database function as Daniel shows, or you can use makeExtendSchemaPlugin along with additionalGraphQLContextFromRequest (v4) or preset.grafast.context (v5) to add the relevant user ID to the context so that it can be used in your resolver (v4) / plan resolver (v5).

If you're really set on not using RLS at all (which I don't think is your question, but just in case), check out https://github.com/benjie/v5-auth-poc which is V5 only and highly experimental (not supported at all - it even needs a patch (included) to work currently).

[semi-automated message] To keep things manageable I'm going to close this issue as I think it's solved; but if not or you require further help please re-open it.

@benjie benjie closed this as completed Mar 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
❔ question
Projects
V5.0.0
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@benjie @DanielFGray @ashokkumar88