-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(graphql,auth,#1026): Pass operation name to authorizer #1043
Conversation
Pull Request Test Coverage Report for Build 729270224
💛 - Coveralls |
@mwoelk thank you for the PR! This makes sense to me, the only thing I question is if the we should be passing the name directly or instead create a new type (maybe |
@doug-martin sounds great. Thought about it in the beginning but wasn't sure of any additional parameters but it's definitely the better approach to keep it flexible. I'm going to update the PR today. |
@doug-martin Here's a summary of the changes made in the three added commits:
AuthorizationContext structureinterface AuthorizationContext {
/** The name of the method that uses the @AuthorizeFilter decorator */
operationName: string;
/** The group this operation belongs to */
operationGroup: 'read' | 'aggregate' | 'create' | 'update' | 'delete';
/** If the operation does not modify any entities */
readonly: boolean;
/** If the operation can affect multiple entities */
many: boolean;
} This way in a custom e.g. we can perform a simple if(authContext.readonly) {
...
} instead of comparing the operation name to all possible read operations such as query, aggregate, find, etc. AuthorizationContext inferenceThis context is either passed as an argument to the
AuthorizationFilterThe authorization filter can be used in three ways:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow! Great job diving in and figuring this out so quickly. I had a few comments let me know what you think.
Thank you again for your contribution, this is awesome!
packages/query-graphql/src/decorators/authorize-filter.decorator.ts
Outdated
Show resolved
Hide resolved
packages/query-graphql/src/decorators/authorize-filter.decorator.ts
Outdated
Show resolved
Hide resolved
@mwoelk the proxy branch looks really good. The two things that stuck out to me after a first pass is the Once you make those changes I'll do one final pass merge and release! Thanks again! |
@doug-martin Good catch with the wrong attribute on the deleteMany context (fixed in 9306525). Regarding the examples what kind of example do you mean? I added a whole section to the docs and added some example usage to the auth-example in the SubTaskAuthorizer and in the TodoItemDTO Should I create a whole new example project based on the auth example that covers different use cases of the authContext? |
Hey Doug,
here's a pull request that adds the primary feature requested in #1026.
I'm looking forward to your feedback.
Contents
Authorizer
interface to also receive anoperationName
(optional Argument to keep backwards compatibility)DefaultCrudAuthorizer
andAuthorizerOptions
to also pass along theoperationName
argument.AuthorizerFilter
,RelationAuthorizerFilter
andModifyRelationAuthorizerFilter
to pass the name of the annotated method asoperationName
to theAuthorizer
. This name can also be overriden by a new optional argumentoperationName
that was added to those decorators.queryMany
of theReadResolver
to change the passed name toquery
to better align with the names of the query service.nestjs-query-3
- user. Modified the example so that this user can read and aggregate all todos of all users but only update/delete his own todosoperationName
parameter gets passed correctlyUnimplemented parts of the feature request
create*
methods. This should be the scope of a new issue/PR. Main use case would be to throw an Unauthorized here if a user isn't authorized. The filters returned by the authorizers may not be needed for creation. (But maybe could be checked against the input but this would be more related to validation again).