Skip to content

A toolset for authorizing access to graph types for GraphQL .NET.

License

Notifications You must be signed in to change notification settings

mkukoleca/graphql-authorization

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GraphQL Authorization

Build Status NuGet Join the chat at https://gitter.im/graphql-dotnet/graphql-dotnet

A toolset for authorizing access to graph types for GraphQL .NET.

Usage

  • Register the authorization classes in your container (IAuthorizationEvaluator, AuthorizationSettings, and the AuthorizationValidationRule).
  • Provide a UserContext class that implements IProvideClaimsPrincipal.
  • Add policies to the AuthorizationSettings.
  • Apply a policy to a GraphType or Field (which implement IProvideMetadata) using AuthorizeWith(string policy).
  • The AuthorizationValidationRule will run and verify the policies based on the registered policies.
  • You can write your own IAuthorizationRequirement.
  • Use GraphQLAuthorize attribute if using Schema + Handler syntax.

Examples

public static void AddGraphQLAuth(this IServiceCollection services)
{
    services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
    services.TryAddSingleton<IAuthorizationEvaluator, AuthorizationEvaluator>();
    services.AddTransient<IValidationRule, AuthorizationValidationRule>();

    services.TryAddSingleton(s =>
    {
        var authSettings = new AuthorizationSettings();

        authSettings.AddPolicy("AdminPolicy", _ => _.RequireClaim("role", "Admin"));

        return authSettings;
    });
}


public static void UseGraphQLWithAuth(this IApplicationBuilder app)
{
    var settings = new GraphQLSettings
    {
        BuildUserContext = ctx =>
        {
            var userContext = new GraphQLUserContext
            {
                User = ctx.User
            };

            return Task.FromResult(userContext);
        }
    };

    var rules = app.ApplicationServices.GetServices<IValidationRule>();
    settings.ValidationRules.AddRange(rules);

    app.UseMiddleware<GraphQLMiddleware>(settings);
}

public class GraphQLUserContext : IProvideClaimsPrincipal
{
    public ClaimsPrincipal User { get; set; }
}

public class GraphQLSettings
{
    public Func<HttpContext, Task<object>> BuildUserContext { get; set; }
    public object Root { get; set; }
    public List<IValidationRule> ValidationRules { get; } = new List<IValidationRule>();
}

GraphType first syntax - use AuthorizeWith.

public class MyType : ObjectGraphType
{
    public MyType()
    {
        this.AuthorizeWith("AdminPolicy");
        Field<StringGraphType>("name").AuthorizeWith("SomePolicy");
    }
}

Schema first syntax - use GraphQLAuthorize attribute.

[GraphQLAuthorize(Policy = "MyPolicy")]
public class MutationType
{
    [GraphQLAuthorize(Policy = "AnotherPolicy")]
    public async Task<string> CreateSomething(MyInput input)
    {
        return Guid.NewGuid().ToString();
    }
}

Known Issues

  • It is currently not possible to add a policy to Input objects using Schema first approach.

About

A toolset for authorizing access to graph types for GraphQL .NET.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C# 82.8%
  • JavaScript 17.2%