Authorization with GraphQL Shield

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] here we have a simple graphql server using express.js with the express graphql plugin we have a simple schema and we have some dummy data in an array and we have some resolvers which map to those dummy data entries if we load localhost 4000 and head on over to the graphical interface we can make a few queries here one query is to fetch all of the users and we can get the name email role and the id we can also create users and pass an input here for demonstration purposes this just returns anything we input as well as a new id in this video we'll be looking at graphql shield graphql shield is a middleware library that plugs into our graphql api and it's designed to allow us to specify rules which will either permit or deny access from the outside world to get started open your terminal inside of your project and install the graphql middleware package and graphql shield itself since graphql shield is a graphql middleware library we need to apply middleware to our schema and pass in that graphql shield object let's first import and require the apply middleware from graphql middleware and then we'll import a shield from the graphql shield package let's go ahead and first declare the permissions we'll need to invoke shield and pass to the constructor an object that will map to our query mutations and our root types then we'll declare schema with permissions and we'll pass to apply middleware the schema and the permissions then all that's left to do is update our application and then update the graphql http package to point to the new schema with permissions instead of just the schema that we made executable now if we go ahead and pass to shield and object map into query and mutation and leave these as empty objects for now if we start the server and head on over to the graphical interface you'll see that all of the queries are working as we expect so at this point the graphql middleware and graphql shield is working there is no errors our application is running and the requests are being returned to us we just don't have any middleware or any rules defined to allow or deny access to our api inside of our permissions map let's map users to is authenticated then we'll go ahead and define the is authenticated rule everything that appears to the right of the query is the rule then let's go ahead and declare the is authenticated rule and if we use rule you see here it's automatically been imported for us in our common js requirements above and what we need to pass to the real function is a asynchronous function that pretty much looks like a regular graphql resolver and inside of here you have access to everything you would inside of a normal graphql resolver such as the arguments context and any of the info about the est and for this example let's just return false if we head on over to graphical and we run this query you'll now see that we have not authorized so this is graphql shield working it is not authorized to permit anything from working so it will return a graphql error you can also customize the error which is returned to the user so we can return a new error and when you run that graphic ql query again you'll now see that we have a custom message that we defined inside of the rule but for the purposes of this video let's go ahead and just return whether or not there is any headers with the user id defined so if we go ahead and we run this you'll see we are not authorized but if we head to the request headers pane inside of graphical and we pass in user id and we pass a id and rerun the query you'll now see that we are authenticated this is a cheat but if you think about a bearer token we can pass a bearer token and graphql shield can inspect that bearer token and make sure that it's valid and there is a user let's now go ahead and create another rule and we'll call this is admin so similar to how we define the rule above we'll go ahead and define the signature for the rule to check that we're an admin we're first going to find the the user where the context user id matches that inside of our mock user data so in this case we'll just loop through all of our users and we'll plug out that user and if there is a user buy that id and the rule equals admin that will return a boolean if we use and which will automatically be required for us we can pass to and multiple rules that we've already defined so in this case we'll pass is authenticated and admin so in order to run the user's query that user must be an admin and must be authenticated if we change the user id to 2 we'll see here that we are authenticated because the mock data with the user of id of 2 the rule is admin if we change this to user and we rerun that query you'll now see that we are not authorized we'll now continue by updating the shield map to only allow access to the me query if you are authenticated so if we run a query to fetch me and i want to fetch the id you'll see that i'm able to do so and this is because we've passed that header we'll now go ahead and define the mutation map and for create user it will pass in a new rule that is called is not already registered and this will use a new type of rule provided by graphql shield this rule is called the input rule with a input rule we can return a yup schema so if you're not familiar with yup it is a validation library and if we pass a object to the input object we can define inside of here all of the rules we'll define inside of the input object that the name is a string and required and the email is also a email string and it's required but we'll also check that the email is not one of the existing emails that we already have marked and if it is we can return a custom error if we now run that mutation and we provide a name and a email that already exists when we execute the mutation we should see that we have that custom error returned if we update the mutation to include a unique email the mutation should be run successfully there are other logic rules available to import as well the next we'll have a look will be all this create post mutation can be run if you are either a admin or you are an owner and an editor you can also import allow deny not and many others if we deny all access to queries then every query that we do not have a rule for will be declined so here the user's query still executes and the query to get me still executes because we have other rules defined but if we added any additional queries that would be denied so we can see here we've removed the rule for me and this is denied but the one two users is still allowed if we change allow to the me query we'll see that this is also allowed this also works for mutations as well we can deny all mutations or we can allow we haven't covered everything with graphql shield in this video so i'd recommend you view the documentation and watch a future episode when we cover more of the caching strategies with graphql shield
Info
Channel: Jamie Barton
Views: 701
Rating: undefined out of 5
Keywords: graphql, graphql shield, javascript, the guild
Id: DvjRCnrYFcg
Channel Id: undefined
Length: 8min 25sec (505 seconds)
Published: Mon Aug 16 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.