Comments (4)
The above refers to: setup.sh in this example. But I see that the same terms are used in the Postgraphile Starter (full-stack opinionated example).
from examples.
If I'm understanding the explanation correctly, a query by a non-verified user will be as an "Authenticator." And once the user logs in/gets verified, then the queries will be ran as a "Visitor." Could someone verify this is the correct understanding?
This is not correct. Everyone who visits the site is a visitor (except potentially you might add different roles in future such as "admin") - so whether you're logged in or not you're a visitor. The authenticator is the role that authenticates against the database (i.e. has a password, is used in the PostgreSQL connection string) and can then switch into the relevant role for the user once it has authenticated them ("yes, I believe you are use 27", or "yes, I believe you are an anonymous visitor"). The roles the authenticator can switch to (such as "visitor") do not have passwords - you cannot access them directly, only via the authenticator. In this repository so far the authenticator always changes into the "visitor" role when serving a GraphQL request, but you could expand the list of potential roles in future, e.g. adding "admin", "manager", "backup", etc. Note the authenticator role has both more and fewer privileges than "visitor" - it has the "noinherit" flag so it cannot do anything itself (we've not granted it any table/schema privileges), however it can switch into more powerful roles that can do the things we grant.
The rest of your questions stem from the above misunderstanding, so hopefully this clears things up.
Please could you point to where the explanation was that confused you? I'd like to have a go at making the wording more clear.
from examples.
Hi Benjie, thanks for the quick reply and the clarification! My apologies for the misunderstanding.
I believe my confusion came from the terms changing from the different names used for each of the example/tutorial.
Main documentation (https://www.graphile.org/postgraphile/default-role/) uses auth_user.
Forum example (https://github.com/graphile/postgraphile/blob/master/examples/forum/schema.sql) uses forum_example_postgraphile, forum_example_person, forum_example_anonymous.
Full-stack Starter (https://github.com/graphile/starter) uses Owner, Authenticator and Visitor.
Granted each of them are doing things slightly differently, but it somewhat confused me as an inexperienced programmer/graphql/postgraphile user.
Are there any schema examples of a schema that uses multiple roles using sessions? The main documentation uses jwt, but it looks like even you have moved away from jwt and is using sessions (postgres or redis) to manage the roles.
The Full-stack Starter uses one Visitor but with is_admin value for app_public.users, which I assume means it is intended that all queries happen with the Visitor but the query will be verified/filtered in the backend. I believe you intend the additional roles to be administered in the async pgSettings(req) function (@app/server/src/middleware/installPostGraphile.ts row 199), is that correct? get the query, and then issue the role object? I see your comment in row 209 ("Everyone uses the "visitor" role currently").
Thank you so much for your effort in building/maintaining such an amazing software.
from examples.
I believe my confusion came from the terms changing from the different names used for each of the example/tutorial.
Fair enough; there's lots of potential ways of building valid schemas with PostGraphile.
Are there any schema examples of a schema that uses multiple roles using sessions?
I can't think of any off-hand.
The main documentation uses jwt, but it looks like even you have moved away from jwt and is using sessions (postgres or redis) to manage the roles.
The original PostGraphQL author added the JWT functionality, I don't use it (and never have). Lots of people seem to like/want JWT though, so we leave the JWT features supported and the tutorial uses it because to use sessions you need to understand Express, sessions, etc; whereas with JWT you can do it with the PostGraphile CLI.
The Full-stack Starter uses one Visitor but with is_admin value for app_public.users, which I assume means it is intended that all queries happen with the Visitor but the query will be verified/filtered in the backend.
We don't currently use the is_admin
flag for anything. I might use a PostgreSQL role to represent it, but more likely I'd just use SECURITY DEFINER
functions in the database for custom mutations that only the admin can run.
I believe you intend the additional roles to be administered in the async pgSettings(req) function (@app/server/src/middleware/installPostGraphile.ts row 199), is that correct?
Yes, if you need more than one role that'd be where to do it.
get the query, and then issue the role object? I see your comment in row 209 ("Everyone uses the "visitor" role currently").
s/query/request/ -> yes.
Thank you so much for your effort in building/maintaining such an amazing software.
Thanks! If you want to help me continue to make awesome OSS, please consider sponsoring me: https://www.graphile.org/sponsor/ Every contribution helps.
I'm going to close this issue as I think it's sufficiently addressed.
from examples.
Related Issues (8)
- Setup script missing plv8 extension HOT 4
- Yarn start is failing HOT 2
- Type Error HOT 3
- Use 127.0.0.1 for brew HOT 6
- PostgreSQL registration/login fails HOT 1
- Share a postgraphilerc between the different servers + CLI HOT 1
- license HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from examples.