Authorizations on GraphQL ruby mutations

1
votes

Still quite new to GraphQL,

The idea is to 'secure' mutations, meaning restricting those to the current user passed in the context. Basic one :

Create = GraphQL::Relay::Mutation.define do

    name "AddItem"

    input_field :title, !types.String
    return_field :item, Types::ItemType
    return_field :errors, types[types.String]

    resolve -> (object, inputs, ctx) {
      if ctx[:current_user]
        ... do the stuff...
      else
         ...returns an error...
      end
    }
end

Let's say for one having multiple mutations… this very same conditions would have to be repeated everytime needed.

I'm obviously biased by before_action available in rails; is there something similar available in graphql-ruby ? (like, 'protected mutations', in any case looking to selectively protect specific parts of the available output, in a centralized setup)

Or should the approach be completely different ?

1
rubygraphql
any update on how you eventually accomplished this? - maverick5
@maverick5 as shown above, verifying in the resolver; as it is more or less the way to go (see his comment below). You can pass your current user in the context (see the execute method here gist.github.com/benbonnet/5c8b90eaabf2a3cbf71a6c7f910bade0). That said, I ended up going into postgraphql (postgraphile) for those needs; a huge time-saver that dramatically reduces your graphql code boilerplate, and a real enlightment about many things rails "hides" due to its nature - Ben

1 Answers

1
votes

As of the time of this writing, the GraphQL spec does not define anything having to do with authz/authn. Generally speaking, people put their GraphQL layer behind a gateway of some sort and pass the auth token in with the query. How to do this will depend on your implementation. In the JavaScript GraphQL server, there is a "context" that will is passed to all resolvers.

In other words, securing queries and mutations at the resolver level is currently the best practice in GraphQL.

Specific to Ruby, however, it does look like there is a paid version of the software that has some nice auth features built in.

http://graphql-ruby.org/pro/authorization