Skip to content

Commit

Permalink
release: 1.2.0-rc.1
Browse files Browse the repository at this point in the history
  • Loading branch information
MichalLytek committed Oct 6, 2021
1 parent 094654a commit db5a5da
Show file tree
Hide file tree
Showing 19 changed files with 2,616 additions and 1 deletion.
4 changes: 3 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
# Changelog and release notes

## Unreleased
<!-- ## Unreleased -->
<!-- here goes all the unreleased changes descriptions -->

## v1.2.0-rc.1
### Features
- **Breaking Change**: `AuthChecker` type is now "function or class" - update to `AuthCheckerFn` if the function form is needed in the code
- support class-based auth checker, which allows for dependency injection
Expand Down
50 changes: 50 additions & 0 deletions website/i18n/en.json
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,56 @@
"version-1.1.1/version-1.1.1-validation": {
"title": "Argument and Input validation",
"sidebar_label": "Validation"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-authorization": {
"title": "Authorization"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-bootstrap": {
"title": "Bootstrapping"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-complexity": {
"title": "Query complexity"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-custom-decorators": {
"title": "Custom decorators"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-dependency-injection": {
"title": "Dependency injection"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-directives": {
"title": "Directives"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-examples": {
"title": "Examples",
"sidebar_label": "List of examples"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-extensions": {
"title": "Extensions"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-generic-types": {
"title": "Generic Types"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-interfaces": {
"title": "Interfaces"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-middlewares": {
"title": "Middleware and guards"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-performance": {
"title": "Performance"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-resolvers": {
"title": "Resolvers"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-subscriptions": {
"title": "Subscriptions"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-unions": {
"title": "Unions"
},
"version-1.2.0-rc.1/version-1.2.0-rc.1-validation": {
"title": "Argument and Input validation",
"sidebar_label": "Validation"
}
},
"links": {
Expand Down
184 changes: 184 additions & 0 deletions website/versioned_docs/version-1.2.0-rc.1/authorization.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
---
title: Authorization
id: version-1.2.0-rc.1-authorization
original_id: authorization
---

Authorization is a core feature used in almost all APIs. Sometimes we want to restrict data access or actions for a specific group of users.

In express.js (and other Node.js frameworks) we use middleware for this, like `passport.js` or the custom ones. However, in GraphQL's resolver architecture we don't have middleware so we have to imperatively call the auth checking function and manually pass context data to each resolver, which might be a bit tedious.

That's why authorization is a first-class feature in `TypeGraphQL`!

## How to use

First, we need to use the `@Authorized` decorator as a guard on a field, query or mutation.
Example object type field guards:

```typescript
@ObjectType()
class MyObject {
@Field()
publicField: string;

@Authorized()
@Field()
authorizedField: string;

@Authorized("ADMIN")
@Field()
adminField: string;

@Authorized(["ADMIN", "MODERATOR"])
@Field({ nullable: true })
hiddenField?: string;
}
```

We can leave the `@Authorized` decorator brackets empty or we can specify the role/roles that the user needs to possess in order to get access to the field, query or mutation.
By default the roles are of type `string` but they can easily be changed as the decorator is generic - `@Authorized<number>(1, 7, 22)`.

Thus, authorized users (regardless of their roles) can only read the `publicField` or the `authorizedField` from the `MyObject` object. They will receive `null` when accessing the `hiddenField` field and will receive an error (that will propagate through the whole query tree looking for a nullable field) for the `adminField` when they don't satisfy the role constraints.

Sample query and mutation guards:

```typescript
@Resolver()
class MyResolver {
@Query()
publicQuery(): MyObject {
return {
publicField: "Some public data",
authorizedField: "Data for logged users only",
adminField: "Top secret info for admin",
};
}

@Authorized()
@Query()
authedQuery(): string {
return "Authorized users only!";
}

@Authorized("ADMIN", "MODERATOR")
@Mutation()
adminMutation(): string {
return "You are an admin/moderator, you can safely drop the database ;)";
}
}
```

Authorized users (regardless of their roles) will be able to read data from the `publicQuery` and the `authedQuery` queries, but will receive an error when trying to perform the `adminMutation` when their roles don't include `ADMIN` or `MODERATOR`.

Next, we need to create our auth checker function. Its implementation may depend on our business logic:

```typescript
export const customAuthChecker: AuthChecker<ContextType> = (
{ root, args, context, info },
roles,
) => {
// here we can read the user from context
// and check his permission in the db against the `roles` argument
// that comes from the `@Authorized` decorator, eg. ["ADMIN", "MODERATOR"]

return true; // or false if access is denied
};
```

The second argument of the `AuthChecker` generic type is `RoleType` - used together with the `@Authorized` decorator generic type.

Auth checker can be also defined as a class - this way we can leverage the dependency injection mechanism:

```ts
export class CustomAuthChecker implements AuthCheckerInterface<ContextType> {
// inject dependency
constructor(private readonly userRepository: Repository<User>) {}

check({ root, args, context, info }: ResolverData<ContextType>, roles: string[]) {
const userId = getUserIdFromToken(context.token);
// use injected service
const user = this.userRepository.getById(userId);

// custom logic here, e.g.:
return user % 2 === 0;
}
}
```

The last step is to register the function or class while building the schema:

```typescript
import { customAuthChecker } from "../auth/custom-auth-checker.ts";

const schema = await buildSchema({
resolvers: [MyResolver],
// here we register the auth checking function
// or defining it inline
authChecker: customAuthChecker,
});
```

And it's done! 😉

If we need silent auth guards and don't want to return authorization errors to users, we can set the `authMode` property of the `buildSchema` config object to `"null"`:

```typescript
const schema = await buildSchema({
resolvers: ["./**/*.resolver.ts"],
authChecker: customAuthChecker,
authMode: "null",
});
```

It will then return `null` instead of throwing an authorization error.

## Recipes

We can also use `TypeGraphQL` with JWT authentication.
Here's an example using `apollo-server-express`:

```typescript
import express from "express";
import { ApolloServer, gql } from "apollo-server-express";
import * as jwt from "express-jwt";

import { schema } from "../example/above";

const app = express();
const path = "/graphql";

// Create a GraphQL server
const server = new ApolloServer({
schema,
context: ({ req }) => {
const context = {
req,
user: req.user, // `req.user` comes from `express-jwt`
};
return context;
},
});

// Mount a jwt or other authentication middleware that is run before the GraphQL execution
app.use(
path,
jwt({
secret: "TypeGraphQL",
credentialsRequired: false,
}),
);

// Apply the GraphQL server middleware
server.applyMiddleware({ app, path });

// Launch the express server
app.listen({ port: 4000 }, () =>
console.log(`🚀 Server ready at http://localhost:4000${server.graphqlPath}`),
);
```

Then we can use standard, token based authorization in the HTTP header like in classic REST APIs and take advantage of the `TypeGraphQL` authorization mechanism.

## Example

See how this works in the [simple real life example](https://github.com/MichalLytek/type-graphql/tree/master/examples/authorization).
Loading

0 comments on commit db5a5da

Please sign in to comment.