CODEWITHSUNDEEP
graphqlgraphql-js
wednesdaymiko
wednesdaymiko

Reputation: 283

GraphQL Authorization / Permission

So basically how do you handle permissions?

Let's say we have a list of Post(s) of some kind, with an argument first to limit the amount of posts. And only the owner and approved users can read the posts, everyone else can't. What is the best way to implement this?

query {
  {
    viewer {
      posts(first: 10) {
        id
        text
      }
    }
  }
}

What I'm currently thinking of, is to have a single source of truth to whether a user can read the post or not, and hook it up with the dataloader module.

But, how do I query for exactly 10 posts? If I query my DB for exactly 10 rows, when I then later on filter them with some business logic, then I can get for example 8 posts returned.

A solution is to not put a limit on the query, but that's not very efficient. So what is a good way to go about this?

Inspiration from here

(1) https://dev-blog.apollodata.com/auth-in-graphql-part-2-c6441bcc4302

(2) https://dev-blog.apollodata.com/graphql-at-facebook-by-dan-schafer-38d65ef075af

(1) solved it by

export const DB = {
  Lists: {
    all: (user_id) => {
      return sql.raw("SELECT id FROM lists WHERE owner_id is NULL or owner_id = %s, user_id);
    }
  }
}

as the query, and then to filter out which rows can be read:

resolve: (root, _, ctx) => {
    // factor out data fetching
    return DB.Lists.all(ctx.user_id)
      .then( lists => {
        // enforce auth on each node
        return lists.map(auth.List.enforce_read_perm(ctx.user_id));
      });
  }

So, we can clearly see that it's querying for all the rows, even if, say, the first argument was 1, which is what I'm trying to avoid.

Maybe I'm approaching the problem wrong in some way, as the business logic lives on another layer than the DB one, so there's no way but to query all the rows. Any help appreciated.

Upvotes: 2

Views: 888

Answers (1)

wednesdaymiko
wednesdaymiko

Reputation: 283

For future reference and other people searching for solutions. Used Dataloader to solve the authentication problem.

Literally implemented what they did in https://dev-blog.apollodata.com/graphql-at-facebook-by-dan-schafer-38d65ef075af and used this boilerplate repo as guidance. Not much more to say than that.

Upvotes: 1

Related Questions