astrumu / graphql-authz Goto Github PK
View Code? Open in Web Editor NEWGraphQL authorization layer
License: Other
GraphQL authorization layer
License: Other
@graphql-authz/[email protected], it in turns references @graphql-tools/utils@"8.1.2, which again in turn is conflicting with graphql@16.
It would be good to update the @graphql-tools/utils dependency to a later version to resolve these conflicts.
When using the apollo-server plugin it looks like when an invalid query is passed to api, the plugin throws a type error.
TypeError: Cannot read properties of undefined (reading 'args')
at getArgumentValues (/Users/jeffreydefond/projects/graphql-authz/node_modules/graphql/execution/values.js:183:28)
at Object.Field (/Users/jeffreydefond/projects/graphql-authz/packages/core/src/rules-compiler.ts:290:27)
at Object.enter (/Users/jeffreydefond/projects/graphql-authz/node_modules/graphql/utilities/TypeInfo.js:387:27)
at visit (/Users/jeffreydefond/projects/graphql-authz/node_modules/graphql/language/visitor.js:200:21)
at compileRules (/Users/jeffreydefond/projects/graphql-authz/packages/core/src/rules-compiler.ts:346:3)
at Object.requestDidStart (/Users/jeffreydefond/projects/graphql-authz/packages/plugins/apollo-server/src/index.ts:26:29)
at initializeRequestListenerDispatcher (/Users/jeffreydefond/projects/graphql-authz/node_modules/apollo-server-express/node_modules/apollo-server-core/src/requestPipeline.ts:598:39)
at processGraphQLRequest (/Users/jeffreydefond/projects/graphql-authz/node_modules/apollo-server-express/node_modules/apollo-server-core/src/requestPipeline.ts:115:28)
at ApolloServer.executeOperation (/Users/jeffreydefond/projects/graphql-authz/node_modules/apollo-server-express/node_modules/apollo-server-core/src/ApolloServer.ts:995:33)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
When using wrapExecuteFn
queries that contain __typename
will fail with an error Cannot read property 'args' of undefined
.
This comes from https://github.com/AstrumU/graphql-authz/blob/main/packages/core/src/rules-compiler.ts#L285-L287
the __typename
field is not actually a field in the graphql schema, so certain operations (like trying to get the field schema, or fetch args for it) will not work.
Most new repositories for the organization and the community use pnpm. We need to look ahead and use a modern approach too
I have a code first schema using apollo v4 server. I have sometning like this
currentMarketUser: {
extensions: createAuthZExtensions({
rules: ["IsMarketUserOnly"],
}),
type: internalServices.IAMService.api.graph.types
.CurrentMarketUserType,
resolve: (_, args, context) =>
internalServices.IAMService.api.graph.queries.currentMarketUser(
_,
args,
context
),
},
but it seems the rule never runs. I read the libary code and it seems
const compiledRules = (0, core_1.compileRules)({
document: filteredDocument,
schema: requestContext.schema,
rules,
variables,
directiveName,
authSchemaKey,
authSchema
});
compiledRules rules is empty and i think it because its checking only entities but not the top level query function. Is it supposed to? I feel like i copied the examples pretty closely
thanks for the help!
@graphql-authz/[email protected]
declares @graphql-authz/[email protected]
as dependency.
This can lead to a dangerous setup: this is what I had on my project:
@graphql-authz/[email protected]
@graphql-authz/[email protected]
Because my @graphql-authz/core
was at version 1.2.1
, my @graphql-authz/apollo-server-plugin
was using an extra instance of @graphql-authz/core
at version (1.3.0
). This makes the two packages disconnected.
This setup result in all rules being silently ignored at all while running the graphql server.
A possible solution could be to declare @graphql-authz/[email protected]
as peer dep, so yarn
does not create an extra instance.
The runtime would crash, which would be desirable.
After digging for quite a while I found the reason why the compiled version of my esm and esbuild based project contains the graphql dependency twice.
The culprit is line 14 of rules-compiler.ts
in graphql-authz
. graphql
is marked as a peer dependency, but the deep import of getArgumentValues
, still pulls in the complete graphql library a second time. graphql
detects this and throws the "Ensure that there is only one instance of 'graphql' in node_modules" error, making 'graphql-authz' essentially incompatible with my setup.
The good news: there's no reason for the deep import, because getArgumentValues
is also exported at the top level. If you could fix this, I would be very grateful.
export const authZRules = {
IsAdmin
} as const;
const authSchema = {
User: {
email: { __authz: { rules: ['isAdmin'] } }
}
};
Did you spot the typo? I think its necessary to check if a rule used in a schema even exists to prevent unindented data leakage.
I would make a simple checking inside this function:
graphql-authz/packages/core/src/config.ts
Line 13 in 61b44e3
I can do it and make a PR if you want. Whats your opinion?
Hey,
Just wrote a tiny plugin for GiraphQL that makes applying rules to fields/types slightly simpler when building schemas with giraphql. https://giraphql.com/plugins/authz
Obviously not necessary to make things work, but gets you something with better type-checking and avoids needing to define a complicated extensions object for each field/type.
Was just skimming through some of the code when I fixed the __typename issue and it looks like authorization rules on objects are ignored when the query resolved them through a union or interface. This seems like a pretty important case to cover. This would make any nodes in a relay style graph accessible without auth checks through the node
or nodes
queries.
A follow-up to Issue: #58
With #126 pre-execute rules are fixed for both Unions and Interfaces. However, post-exec rules still require a fix.
The problem raised with post-exec rules with union types is figuring out what object type GraphQL returned. We should not run rules of types that actually are not used in runtime. Even if it was used in the user's request scheme.
The most ideal way is to use the resolveType
implementation defined on the union type by a server. However, it could be used only in graphQL internal execute
context. Please, track graphql/graphql-js#4156 for a solution.
If using @apollo/server v4 the "context" value in rule execution is undefined.
This is because: (https://www.apollographql.com/docs/apollo-server/migration/#fields-on-graphqlrequestcontext)
The context field has been renamed contextValue for consistency with the graphql-js API and to help differentiate from the context option of integration functions (the function which returns a context value).
Adjusting the code for the plugin might not be too tricky, but new tests need to be written since @apollo/server v4 also changes mocks. (https://www.apollographql.com/docs/apollo-server/testing/mocking/)
๐ฃ New in Apollo Server 4: Apollo Server 4 removes both the mocks and mockEntireSchema constructor options
I am creating this issue as a placeholder, since my PR fails type-based tests. #92
I tried adding rules with the custom GraphqlError, but the response throw the correct error message but with wrong error.extensions.code
.
I'd like to be able to return null (or other specified value) for a field when the authz check fails.
See #65 (comment)
Getting errors about @graphql-authz/envelop-plugin has conflicting peer dependencies
xxx in ~/xxx > npm install @graphql-authz/envelop-plugin
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: @anvara-project/[email protected]
npm error Found: @envelop/[email protected]
npm error node_modules/@envelop/core
npm error @envelop/core@"^5.0.1" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @envelop/core@"^1.0.3" from @graphql-authz/[email protected]
npm error node_modules/@graphql-authz/envelop-plugin
npm error @graphql-authz/envelop-plugin@"*" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /xx/xx/.npm/_logs/2024-06-14T14_03_36_591Z-eresolve-report.txt
npm error A complete log of this run can be found in: /Users/xx/.npm/_logs/2024-06-14T14_03_36_591Z-debug-0.log
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.