-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrated Authorization #1494
Integrated Authorization #1494
Conversation
I rolled my own pundit-based auth that attempted to mimic what I'd get from graphql-pro: https://gist.github.com/bgentry/da703027ed80002b9686f2f90ab3ab2c I'm interested in trying a built-in solution for this, lmk when there's something ready to try or if you need other feedback on ideas! ✌️ |
This is awesome, thank you |
We dynamically generate our enums. For example, we allow ordering on any database field:
It would be great if we could hide the enum values that correspond to our fields that aren't visible. |
That's a great point about enum values, I don't think they can be authorized specifically on this branch yet, but I will add it! |
I added a conceptual overview of graphql auth here: https://github.com/rmosolgo/graphql-ruby/blob/integrated-auth/guides/authorization/overview.md I'd love a review if anyone has a few minutes. |
guides/authorization/overview.md
Outdated
end | ||
``` | ||
|
||
The downside of this is that, when `Types::Post` is queried in other contexts, the same authorization check may not be applied. Additionally, since the authorization code is couple with the GraphQL API, the only way to test it is via GraphQL queries, which adds some complexity to tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/is couple with/is coupled with/
I pushed some WIP docs for each step. Still some error customization work to do, also the enum value bit as described above. |
One concept that might be worth thinking about is the idea of trimming a list or a connection. def posts
# Fetch the posts this user can see:
Post.posts_for(context[:current_user])
end Would it be possible to move the The authorization instrumentation that we use does two checks:
It seems like a common pattern. |
That's a great point, I think we can also see CanCan's |
083fb68
to
990cf02
Compare
Thanks for all of your work, btw |
Just pushed one nice bonus, |
Ok, I think enough has been written here for one PR. It turned out tough! On monday I'll give the code another look and see if there are any hacks to clean up. This leaves out several features which I'd like to investigate, probably in this order:
|
Oh, that's not quite right, 2 more things to do:
|
lib/graphql/schema/field.rb
Outdated
argument :after, "String", "Returns the elements in the list that come after the specified cursor.", required: false | ||
argument :before, "String", "Returns the elements in the list that come before the specified cursor.", required: false | ||
argument :after, "String", "Returns the elements in the list that come after the specified global ID.", required: false | ||
argument :before, "String", "Returns the elements in the list that come before the specified global ID.", required: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, bad merge
One of your TODOs is to ping interested people. I’m interested :) |
GitHub isn't quite passing yet, but it's because of how some code that used to not be in a Promise, is now in a Promise, because our |
Starting to build on this for mutations here: #1609 |
I'd like to take some lessons learned from graphql-pro auth and from GitHub's auth and roll them into an integrated auth system.
The goal is:
.visible?(context)
for hiding parts of the schema altogether.accessible?(context)
for preventing queries that touch those parts.authorized?(value, context)
for runtime authorization of application valuesUsing the class-based API will make it much easier to share code between hooks and easier to create default logic. Open-sourcing this logic will help more people adopt GraphQL because we'll have a clear, shared auth system, and it will improve the system, since intensive users can contribute with fixes and features.
TODO
visible?
/accessible?
/authorized?
hooks to the new class-based type, field, and argument classesUseWill add laterGraphQL::UnauthorizedError
for debugging