Comments (14)
No, I haven't found anything more. I worked around this by adding a custom requirement that implements IAuthorizationRequirement, so I'm OK.
But neither do I necessarily think this should be closed. There's definitely an issue here. I know that @joemcbride has been busy with his job, so maybe he'll be able to chime in when he has more time.
from authorization.
@bogdancice seems to work for the complex type it self but not it's fields, at least for me...
variableData does not contain the keys of the fields that I passed in
and therefore no authorization checks are performed on the employeeId
field I passed in.
from authorization.
@furier good point, you are right. I fixed the issue and added unit tests
from authorization.
Indeed that should have been working with that PR (though I failed to ask for tests to verify). Can you provide a failing test to demonstrate the issue?
from authorization.
I'm also having this issue. I tried creating a test to prove it, without success. I can report, though, that at least in my setup, the _.Match<ObjectField>
handler in AuthorizationValidationRule
is never being hit, if that sheds any light.
from authorization.
From stepping through local code, I'm also seeing that an ObjectField
for the field I have the AuthorizeWith
on is not created until during DocumentExecuter.BuildExecutionContext
which happens after the document has been validated, so I'm not seeing how the ObjectField
matcher will work here.
To be clear, the field I want to authorize on is on one of the variable values. @okarlsson, @cotzo, is that also what you are doing?
from authorization.
I tried fork this repo and replicate the issue with some unit tests, but everything seemed to work there.
Currently I'm using my own implementations of IValidationRule so I dont have this problem in my project any longer.
Have you found anything else regarding this @chris-nissen or should we close the issue for now?
from authorization.
Hi guys,
I encountered this problem also. It seems that it partially works.
- It works when you write all the input data in the query/mutation.
- It doesn't work when you put the input data in Variables.
- Example:
InputObjectGraphType class:
public class UserFilterType : InputObjectGraphType<UserFilter>
{
public UserFilterType ()
{
Field(x => x.UserRole, true).AuthorizeWith("SuperAdmin");
}
}
Works in case 1:
- Operation:
query { user{ search( filtering:{ UserRole: Admin } ){ totalCount items{ email id } } } }
Doesn't works in case 2:
-
Operation:
query search( $filtering: UserFilterType!) { userProfiles { search( filtering: $filtering ) { items { id email } totalCount } } }
-
Variable:
{"filtering":{"UserRole": "ADMIN"}}
From the debugging I've made I concluded that:
- in the first case the Graphql library creates an instance of type ObjectField for my input object named Filtering (the pull request #17 fixed authorization only for this type of fields)
- in the second case the GraphQL Library creates an instance of type VariableReference for my input object named Filtering
from authorization.
@okarlsson could you provide the implementation for IValidationRule
that works for arguments?
I am also having the issue that authorization is not being checked for InputObjectGraphType
.
from authorization.
@okarlsson could you provide the implementation for
IValidationRule
that works for arguments?I am also having the issue that authorization is not being checked for
InputObjectGraphType
.
@furier - I posted a comment in a different issue that gives an example for the implementation. You can find it here: #6 (comment)
I also recommend you to check out the Authorization chapter in the docs that my solution is heavily based on: https://graphql-dotnet.github.io/docs/getting-started/authorization.
from authorization.
@okarlsson thanks, but seems I have a different problem then. the _.Match<Field>(...)
never triggers for the input types or its sub fields, so I am unable to do any authentication.
However _.Match<Argument>(...)
hits, and I am able to do authentication for the whole argument type, but if the argument type is complex and contains different authentication rules for its sub fields they are not checked, which is the last missing part I need.
from authorization.
I've added a fix for the issue I've explained in the comments above. @joemcbride please take a look and let me know what you think. Thanks
from authorization.
@joemcbride when you have some spare time can you please check the PR and let me know what you think? We need Variables Validation in our projects
from authorization.
Fixed in #179. Will be released in v4.1.
from authorization.
Related Issues (20)
- Checking for a valid JWT and integrating with a Refresh-Token-Workflow HOT 10
- UNAUTHENTICATED error code HOT 3
- In AuthorizationValidationRule.cs the method CheckAuth is called multiple times. Why? HOT 4
- ETA for v4? HOT 18
- IAuthorizationRequirement is not sent the same variable names as those in IResolveField context HOT 2
- ClaimsPrincipal not retrived trying to use AuthorizeWith in GraphQL queries HOT 6
- Any example for schema first auth example? HOT 2
- How to get a status code 401 when not authorized HOT 6
- Move GraphQLAuthExtensions from Harness into new package HOT 6
- Add docs about IAuthorizationSkipCondition and DI
- Method 'ValidateAsync' in type 'GraphQL.Authorization.AuthorizationValidationRule' from assembly 'GraphQL.Authorization, Version=4.0.0.0 HOT 7
- Question: AuthorizeWithPolicy is being ignored HOT 10
- GraphQL .net authorization with JWT token HOT 7
- AddGraphQLAuth no longer works after switching to Middleware HOT 1
- Return 401 and 403 status code HOT 5
- Is this library still relevant with GraphQL 7+ HOT 22
- How to read graphql query from authorization requirement ?
- Graphql Authorization not working HOT 4
- Faulty reference HOT 6
- How to login user and return token and id ? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authorization.