Geek Answers Handbook

What is a good template for implementing access control on a GraphQL server?

Background:

I have a set of models, including the user and other other models, some of which contain links to the user. I look at these models for queries through the GraphQL API created by Graffiti , with support from the Mongo database, using graffiti-mongoose . My current REST API (which I port to GraphQL) uses JSON Web Tokens to authenticate users and has some server-side permissions logic for access control.

Problem:

I would like to restrict access to objects in GraphQL based on the current logged in user. Some models must be readable by unauthenticated calls. Most other models should be available only to the user who created them. What is the best way to control access to objects through an API created using graffiti?

In general, are there any good access control patterns for GraphQL? And in particular, are there any good examples or libraries for this with graffiti?

Notes:

I understand that pre- and post-hooks were implemented for graffiti mongoose and that they can be used to perform basic binary checks for authentication. I would like to see how more detailed access control logic can be handled in the GraphQL API. In the future, we want to support features such as Administrators, which have access to model instances created by a specific group of users (for example, Users whose branches include administrators).

+7
authentication access-control graphql
source share
2 answers

Typically, GraphQL does not directly handle access control, but delegates this responsibility to any data system with which it interacts. In your case, it sounds like Mongoose.

Since the access control logic is often arbitrary logic (for example, this user was blocked from some content? The publisher of this content limited it to privacy settings?) And it sounds, as in your case, this access control logic is actually normal, it should live in the "permission" function, which returns a value for the GraphQL field.

For example:

var UserType = new GraphQLObjectType({ name: 'User', fields: { name: { type: GraphQLString }, birthday: { type: GraphQLString, resolve(user, context) { var auth = context.myLoggedInAuth; if (myCanAuthSeeBirthday(auth, user)) { return user.birthday; } } } } });
+9
source share

I am creating a rule base access control that will be used with GraphQL.

https://github.com/joonhocho/graphql-rule

It is simple and not recommended that it can be used with or without a schedule.

You can use it with simple javascript objects.

Hope this helps GraphQLers!

+2
source share

More articles:


All Articles