Comments (8)
@jgmize I actually helped design that system, I'm fairly familiar 😊
I think unifying auth schemes is definitely a long term goal and it wouldn't be too hard. I think the only difference would be the PostgREST claims are set to postgrest.claims.*
. I'd like to put it somewhere more general. If someone wants to write up a specification, I'd implement it.
\cc @begriffs @ruslantalpa @diogob
from crystal.
@lfittl yeah, pluggability is a definite design goal (don't want PostGraphQL to be in the auth game too much 😉). I'll leave this open as the a place to discuss how auth will work until a PR gets merged in.
from crystal.
Just opened up a PR containing authorization and a JWT serialization specification at #26. Let's move the discussion there.
from crystal.
Authentication/Authorization I have not put into PostGraphQL but is definitely on my roadmap. The reason it's not done yet is I'm still trying to decide the best way to do auth in GraphQL. I really want to get auth right so we don't have to make breaking changes. Here are my current ideas, tell me what you think:
Authorization
JWTs. The JWT would contain a role field which would be used by PostgreSQL to set the role and other fields would be set as local variables (so say a user_id
field in the JWT could be accessed by local_setting('jwt.claims.user_id')
in PostgreSQL).
Authentication
There are two phases of authentication in my mind.
- Do nothing. Since authorization is done via JWT as long as there's a shared secret, the user can issue their own tokens using Auth0, PassportJS, or whatever their heart desires.
- Add an optional argument to enable a JWT auth scheme that does not use refresh tokens. Such an auth scheme would need a relation (view or table) with three columns
user
,pass
, androle
whereuser
would be a unique identifier (like name or email),pass
would be the encrypted password,role
would be the PostgreSQL role for this user. This relation would be used for issuing tokens. For creating a user, we would insert into this relationuser
andpass
. Extra columns could be specified on the relation for extra claims in the issued JWT. This authentication method must be completely optional and I'm not sure whether it's worth including.
Thoughts?
from crystal.
@calebmer I wonder if it makes sense to make authorization pluggable - in many projects where we've started new services, we initially just read the cookie set by the main app, with some wrapping code to determine the objects one can access using the user_id inside the cookie.
Not saying that this project should support such a mechanism directly, but it'd be helpful if the necessary hooks were provided when you end up building a solution (e.g. using JWT by default).
from crystal.
@calebmer I recommend taking a look at the examples in http://postgrest.com/examples/users/ if you haven't already. I see a lot of parallels between your thinking and what's been implemented there.
If you decided to adopt the same approach, it may even be possible to point both PostGraphQL and PostgREST services at the same db schema and share JWTs between the two APIs.
from crystal.
I think Membership.DB is a good reference for a DB schema, just need to add a column to User
for the role.
from crystal.
@tobiasmuehl thanks so much for that link!
from crystal.
Related Issues (20)
- Postgraphile plugin connection filter export to schema functionality pull request
- Multiple pgServices yields 'Attempted to add a second codec named 'varchar[]''
- Polymorphic types non-nullable attributes not working
- Weird behavior when setting pgServices.name HOT 2
- `@ref` should allow specifying the `from` so single-table polymorphism can apply refs to a single type
- Raise a GraphQL.js PR to allow enum values to be a callback HOT 2
- Comments on computed column functions are not present in the resulting GraphQL schema HOT 3
- Functions that return a specific polymorphic type
- Extra metadata to handle `@ref` relations for non-nullable relations plugin HOT 1
- Ruru incorrectly templates array values as singular HOT 1
- Error: New error HOT 2
- Outdated `chalk` dependency breaks `Postgraphile` when running with `--disable-proto=delete` or using `Deno` HOT 3
- Stack traces are displayed in production and can't be disabled HOT 1
- Plans returning constant(true) throw a step mis-match error
- Enums not matched in postgraphile.tags.json5 HOT 4
- Forbid exploring steps' dependencies during planning HOT 4
- Error when trying to add a directive with any arguments via makeExtendSchemaPlugin HOT 3
- Ruru headers are not passed along with requests to `/graphql/stream` HOT 4
- Intended way to return a union like `union Result = User | UsernameTaken | ...` in v5? HOT 2
- Set bodySizeLimit for graphile v5 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crystal.