Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth directive in input field ignores applyPolicy function #131

Open
bishwoconpago opened this issue Nov 11, 2024 · 2 comments
Open

Auth directive in input field ignores applyPolicy function #131

bishwoconpago opened this issue Nov 11, 2024 · 2 comments

Comments

@bishwoconpago
Copy link

We are using mercurius with fastify in this server setup.

We have an archetype validator directive in which works pretty sweet in the Query,Mutation, Subscription, and field resolvers.

But the issue arises when the directive is applied in the arguments. It doesn't trigger the directive's validator function.

have even tried it with

  • INPUT_FIELD_DEFINITION | INPUT_OBJECT
  • creating a new directive, registering it and renaming it in schema input
  • and does not pick it up.. the mutation gets called anyways (so have to do the check in the execution logic)

Screenshot 2024-11-11 at 5 05 35 pm

example mutation:

  editUser(
    first_name: String
    ...
    role_id: ObjectID @authArchetype(requires: [superadmin])
  ): User  @authArchetype(requires: [superadmin, admin])

registering directive:

.register(mercuriusAuth, {
      async applyPolicy(authDirectiveAST, parent, args, context) {
       // user object having an `archetype` key
        const {  user } = context

        // retrieve the auth directive argument requirements
        const requiredArgument = authDirectiveAST.arguments.find(
          (argument) => argument.name?.value === 'requires'
        )?.value

        const excludeArgument = authDirectiveAST.arguments.find(
          (argument) => argument.name?.value === 'exclude'
        )?.value

        // extract required archetype/s from argument values
        const authorizedArchetypes =
          requiredArgument?.values?.map((value) => value.value) ?? []

        if (excludeArgument) {
          const excludeArchetypes =
            excludeArgument?.values?.map((value) => value.value) ?? []
          if (excludeArchetypes.includes(user.archetype))
            return new Error('You do not have the required permissions')
        }

        return authorizedArchetypes.includes(user.archetype)
          ? true
          : new Error('You do not have the required permissions')
      },
      authDirective: 'authArchetype',
    })

@jonnydgreen
Copy link
Collaborator

Hi there, thanks for getting in touch! Unfortunately, Mercurius Auth does not currently support defining policies at the argument level, only at the field and type level (and a short-term workaround using a field-level directive for avoiding policy checks in execution logic wouldn't be type-safe).

Would you be interested in getting with potentially adding support for auth policies for inputs?

@bishwoconpago
Copy link
Author

Thanks for letting me know.. I will see what I can do over the weekend.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants