Keycloak Relationship Authorization requires config to be applied on M:1 (opposite) side

[craicoverflow]

• Module: @graphback/keycloak-authz
• Version: 1.0.0-beta*

According to the Keycloak-Authz Relationship Authorization documentation I can apply authorization restrictions on one-to-many fields, like the example below:

const authConfig = {
  Task: {
    relations: {
      taskUsers: { roles: ['admin'] }
      allTasksComments: { roles: ['commenter'] }
    },
},

Take a look at my auth config below. Note.comments is a one-to-many field.

const authConfig: CrudServicesAuthConfig = {
  Note: {
    ...,
    relations: {
      // Note.comments oneToMany field
      comments: { roles: ['super_admin'] }
    }
  }
}

Datamodel:

""" @model """
type Note {
  """ @id """
  _id: ID!
  title: String!
  description: String
  """
  @oneToMany(field: 'note')
  """
  comments: [Comment]!
}

""" @model """
type Comment {
  """ @id """
  _id: ID!
  text: String
  description: String
}

However I am able to retrieve the comments relation data without any user privileges.

Upon inspection of the KeycloakCrudService, it is comparing the relationField parameter to comments, but this parameter is noteId (as it is in CRUDService), so the auth check is never executed.

graphback/packages/graphback-keycloak-authz/src/KeycloakCrudService.ts

Lines 160 to 162 in 315bce8

	public batchLoadData(relationField: string, id: string | number, filter: QueryFilter, context: GraphbackContext, info?: GraphQLResolveInfo) {
	if (this.authConfig?.relations && this.authConfig?.relations[relationField]?.roles.length > 0) {
	const { roles } = this.authConfig?.relations[relationField];

To get it to work I would need to do:

Comment: {
  relations: {
    noteId: { roles: ['super_admin'] }
  }
}

Is this a bug or a docs issue?

[machi1990]

Automatically generated comment to notify maintainers
/cc @machi1990, @wtrocki

[craicoverflow]

@craicoverflow update docs

[craicoverflow]

Temporary fix added in #2101

[machi1990]

@craicoverflow thanks. Looks like the fix just landed in master. What I see here:

• Either close the issue as now everything works as designed
• Change issue title to what would be desirable way of doing things.

/cc @wtrocki

[wtrocki]

I would love to get back to it once 1.0 dust will settle.

[RinkiyaKeDad]

Has this issue been fixed as mentioned by @craicoverflow in #2101? If not then what more needs to be done?

[craicoverflow]

Hi @RinkiyaKeDad - this is not fixed yet. The description already covers what is required to do this, and to be honest it is not an easy fix at all, as yet we are unsure how it can be fixed. You can give it a go, but there are probably better issues to take for now.