-
-
Notifications
You must be signed in to change notification settings - Fork 158
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing parent, args and context into a custom perm auth scope #103
Comments
Auth is a complicated topic, lots of opinions, strategies and tradeoffs that can be made.
CASLHere is an example using a couple of the things described above. This is a rough idea based on a brief look at the CASL docs. Setup:
function createContext() {
const user = getLoggedInUser();
const ability = defineAbilitiesFor(user);
return {
user,
ability
}
}
const builder = new SchemaBuilder<{
Context: {
user: User,
ability: Ability,
};
AuthScopes: {
casl: [action: string, subject: unknown],
};
}>({
plugins: [ScopeAuthPlugin],
authScopes: async (context) => ({
casl: ([action, subject]) => context.ability.can(action, resource),
}),
}); Auth for a field: builder.queryField('example', (t) => t.string({
authScopes: { casl: ['someAction', 'SomeSubject'] },
resolve: () => 'hi',
})); Auth for a type (applies to all fields) builder.objectType('Thing', {
authScopes: {
casl: ['someAction', 'SomeSubject'],
},
fields: () => ({}),
}); Auth for field that uses the parent (instance of subject): builder.objectField('ExampleType', 'exampleField', (t) => t.string({
authScopes: (parent) => ({ casl: ['someAction', parent] }),
resolve: () => 'hi',
})); Auth for a type using parent (applies to all fields) builder.objectType('Thing', {
authScopes: parent => ({
casl: ['someAction', parent],
}),
fields: () => ({}),
}); I put these descriptions and examples together pretty quickly, so there are probably lots of typos, and few other mistakes, but hopefully the general explanations make sense. For future questions like this, I think github discussions might be a better fit than issues. I'd like to track common questions like this there so they are easier for others to learn from without having a bunch of open issues. |
To elaborate a bit on the CASL example above, I would probably use something like ['read', 'SomeResource'] on the 'SomeResource' type, and then add additional field level scopes for mutations like ['create', 'SomeResource']. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Couple of things:
customPerm
authScopes
grantScopes
Especially when coupled with CASL, I am a little confused with what's the best method to use when using an abilities library. What are the pros/cons of each and when should each of those methods be used? I want to say
grantScopes
is super powerful but not sure when to use it 😅In the
authScopes
initializer, onlycontext
is passed. The only way to get parent, args and context is to defineauthScopes
function on the field level. Is this the preferred method when checking auth based on args? What if usingcustomPerm
where a field would pass in a perm, is it possible to have parent, args, context passed into that method?For return type, is there planned support? I guess best workaround is to throw
ForbiddenError
in the resolver orauthScopes
on the returned object?The text was updated successfully, but these errors were encountered: