astrumu / graphql-authz Goto Github PK

export const authZRules = {
    IsAdmin
} as const;

const authSchema = {
  User: {
    email: { __authz: { rules: ['isAdmin'] } }
  }
};

Did you spot the typo? I think its necessary to check if a rule used in a schema even exists to prevent unindented data leakage.

I would make a simple checking inside this function:

I can do it and make a PR if you want. Whats your opinion?

When using the apollo-server plugin it looks like when an invalid query is passed to api, the plugin throws a type error.

TypeError: Cannot read properties of undefined (reading 'args')
    at getArgumentValues (/Users/jeffreydefond/projects/graphql-authz/node_modules/graphql/execution/values.js:183:28)
    at Object.Field (/Users/jeffreydefond/projects/graphql-authz/packages/core/src/rules-compiler.ts:290:27)
    at Object.enter (/Users/jeffreydefond/projects/graphql-authz/node_modules/graphql/utilities/TypeInfo.js:387:27)
    at visit (/Users/jeffreydefond/projects/graphql-authz/node_modules/graphql/language/visitor.js:200:21)
    at compileRules (/Users/jeffreydefond/projects/graphql-authz/packages/core/src/rules-compiler.ts:346:3)
    at Object.requestDidStart (/Users/jeffreydefond/projects/graphql-authz/packages/plugins/apollo-server/src/index.ts:26:29)
    at initializeRequestListenerDispatcher (/Users/jeffreydefond/projects/graphql-authz/node_modules/apollo-server-express/node_modules/apollo-server-core/src/requestPipeline.ts:598:39)
    at processGraphQLRequest (/Users/jeffreydefond/projects/graphql-authz/node_modules/apollo-server-express/node_modules/apollo-server-core/src/requestPipeline.ts:115:28)
    at ApolloServer.executeOperation (/Users/jeffreydefond/projects/graphql-authz/node_modules/apollo-server-express/node_modules/apollo-server-core/src/ApolloServer.ts:995:33)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

@graphql-authz/[email protected] declares @graphql-authz/[email protected] as dependency.

This can lead to a dangerous setup: this is what I had on my project:

@graphql-authz/[email protected]
@graphql-authz/[email protected]

Because my @graphql-authz/core was at version 1.2.1, my @graphql-authz/apollo-server-plugin was using an extra instance of @graphql-authz/core at version (1.3.0). This makes the two packages disconnected.
This setup result in all rules being silently ignored at all while running the graphql server.

A possible solution could be to declare @graphql-authz/[email protected] as peer dep, so yarn does not create an extra instance.
The runtime would crash, which would be desirable.

After digging for quite a while I found the reason why the compiled version of my esm and esbuild based project contains the graphql dependency twice.
The culprit is line 14 of rules-compiler.ts in graphql-authz. graphql is marked as a peer dependency, but the deep import of getArgumentValues, still pulls in the complete graphql library a second time. graphql detects this and throws the "Ensure that there is only one instance of 'graphql' in node_modules" error, making 'graphql-authz' essentially incompatible with my setup.

The good news: there's no reason for the deep import, because getArgumentValues is also exported at the top level. If you could fix this, I would be very grateful.

I'd like to be able to return null (or other specified value) for a field when the authz check fails.

See #65 (comment)

@graphql-authz/[email protected], it in turns references @graphql-tools/utils@"8.1.2, which again in turn is conflicting with graphql@16.

It would be good to update the @graphql-tools/utils dependency to a later version to resolve these conflicts.

when using graphql sandbox, every second error showing:
Error: Cannot use 'in' operator to search for 'singleResult' in undefined

Logs are coming from console.trace inside authZApolloPlugin

Hey,

Just wrote a tiny plugin for GiraphQL that makes applying rules to fields/types slightly simpler when building schemas with giraphql. https://giraphql.com/plugins/authz

Obviously not necessary to make things work, but gets you something with better type-checking and avoids needing to define a complicated extensions object for each field/type.

Most new repositories for the organization and the community use pnpm. We need to look ahead and use a modern approach too

I have a code first schema using apollo v4 server. I have sometning like this

currentMarketUser: {
extensions: createAuthZExtensions({
rules: ["IsMarketUserOnly"],
}),
type: internalServices.IAMService.api.graph.types
.CurrentMarketUserType,
resolve: (_, args, context) =>
internalServices.IAMService.api.graph.queries.currentMarketUser(
_,
args,
context
),
},

but it seems the rule never runs. I read the libary code and it seems

const compiledRules = (0, core_1.compileRules)({
document: filteredDocument,
schema: requestContext.schema,
rules,
variables,
directiveName,
authSchemaKey,
authSchema
});

compiledRules rules is empty and i think it because its checking only entities but not the top level query function. Is it supposed to? I feel like i copied the examples pretty closely

thanks for the help!

When using wrapExecuteFn queries that contain __typename will fail with an error Cannot read property 'args' of undefined.

This comes from https://github.com/AstrumU/graphql-authz/blob/main/packages/core/src/rules-compiler.ts#L285-L287

the __typename field is not actually a field in the graphql schema, so certain operations (like trying to get the field schema, or fetch args for it) will not work.

Was just skimming through some of the code when I fixed the __typename issue and it looks like authorization rules on objects are ignored when the query resolved them through a union or interface. This seems like a pretty important case to cover. This would make any nodes in a relay style graph accessible without auth checks through the node or nodes queries.

I tried adding rules with the custom GraphqlError, but the response throw the correct error message but with wrong error.extensions.code.

Getting errors about @graphql-authz/envelop-plugin has conflicting peer dependencies

xxx in ~/xxx > npm install @graphql-authz/envelop-plugin
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: @anvara-project/[email protected]
npm error Found: @envelop/[email protected]
npm error node_modules/@envelop/core
npm error   @envelop/core@"^5.0.1" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @envelop/core@"^1.0.3" from @graphql-authz/[email protected]
npm error node_modules/@graphql-authz/envelop-plugin
npm error   @graphql-authz/envelop-plugin@"*" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /xx/xx/.npm/_logs/2024-06-14T14_03_36_591Z-eresolve-report.txt
npm error A complete log of this run can be found in: /Users/xx/.npm/_logs/2024-06-14T14_03_36_591Z-debug-0.log

If using @apollo/server v4 the "context" value in rule execution is undefined.

This is because: (https://www.apollographql.com/docs/apollo-server/migration/#fields-on-graphqlrequestcontext)

The context field has been renamed contextValue for consistency with the graphql-js API and to help differentiate from the context option of integration functions (the function which returns a context value).

Adjusting the code for the plugin might not be too tricky, but new tests need to be written since @apollo/server v4 also changes mocks. (https://www.apollographql.com/docs/apollo-server/testing/mocking/)

📣 New in Apollo Server 4: Apollo Server 4 removes both the mocks and mockEntireSchema constructor options

I am creating this issue as a placeholder, since my PR fails type-based tests. #92