Change security operation domain type and it's filtering strategy.

[Atlinx]

I think the current filtering used by the operation domain is too limiting. The addition of the and operator from #214 is nice, but that now prevents me from running multiple queries from one context.

Problem

For example consider if we want to launch queries using these domains:

const operationDomain = {
  userId: [ "83djwif92dk39r20dkw0" ]
}
const operationDomain2 = {
  userId: [ "83djwif92dk39r20dkw0", "d0428op23408dierip30"],
  projectId: [ "230dofijwpei02epioei", "83jfepi203847fjp48" ]
}
const operationDomain3 = {
  roleCode: "USER"
}
const operationDomain4 = {
  projectInviteId: "83djwif92dk39r20dkw0"
}

With the current implementation, we would have to make 4 separate EntityManagers.

Solution

We can instead make the domain an array of all the domains we want to query:

const operationDomain = [
  {
    userId: "83djwif92dk39r20dkw0"
  },
  {
    userId: "83djwif92sk03p0dkw0",
    projectId: "230dofijwpei02epioei"
  },
  {
    userId: "d0428op23408dierip30",
    projectId: "83jfepi203847fjp48"
  },
  {
    roleCode: "USER"
  },
  {
    projectInviteId: "83djwif92dk39r20dkw0"
  },
];

Which converts into this filter:

filter = { 
  $or: [
    { 
      userId: { eq: "83djwif92dk39r20dkw0" }
    }, 
    {
      userId: { eq: "83djwif92sk03p0dkw0" },
      projectId: { eq: "230dofijwpei02epioei" }
    },
    {
      userId: { eq: "d0428op23408dierip30" },
      projectId: { eq: "83jfepi203847fjp48" }
    },
    {
      roleCode: { eq: "USER" }
    },
    {
      projectInviteId: { eq: "83djwif92dk39r20dkw0" }
    },
  ]
}

Workarounds

As stated above, you would have to make a dedicated EntityManager for each query in order to inject the appropriate operation domain.

I'm making a GraphQL endpoint, and I'm currently storing the operation domain in a metadata header passed with every GraphQL request. Without this feature, I would have to store multiple operation domains in the metadata header and also specify which domain should go with which request. This would add a lot of complexity to my backend. To avoid this complexity, I'm currently splitting up my queries at the client level, so I'm making multiple calls to the endpoint, which is still not optimal.

[edobrb]

Interesting idea, although queries can get complex. A feature to evaluate, what do you think @minox86 ?

[minox86]

Mmm... operation domains are intended to be "per query" because they identify the security domain of the caller. Giving a complex domain with or clauses sounds strange to me, it means the caller can have a domain or another or another to do a specific query.

@Atlinx am I missing something?

[Atlinx]

Yea that makes sense. I had originally wanted to make nested queries through a single graphql query:

Ex.

// Set security domain for projects and invites
projects {
  invites {
    ...
  }
}

But it could be worked around with multiple queries.

projects {
  ...
}
invites {
  ...
}

[edobrb]

During the implementation of the algorithm that infers the operation security domain from the filter, it turned out that in reality this solution proposed by @Atlinx is required. Specifically to support the $or filter. If someone want to try a preview of this (#210) feature it is published within version 2.0.1-0

[Atlinx]

Is the filtering strategy that you implemented slightly different than what I described? I noticed I still had arrays within a single security domain after I upgraded to v2.1.1.