Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authorization #4

Open
tobiasdiez opened this issue Mar 8, 2021 · 2 comments · May be fixed by #1604
Open

Add authorization #4

tobiasdiez opened this issue Mar 8, 2021 · 2 comments · May be fixed by #1604
Labels
p5: urgent For example breaking bugs affecting most users, should be released ASAP type: feature A completely new feature
Projects
Minimal viable product

Comments

@tobiasdiez
Copy link
Member

tobiasdiez commented Mar 8, 2021
edited

Also add common features like sending registration email etc. Following might be helpful:
@tobiasdiez tobiasdiez added this to Backlog in Minimal viable product Apr 8, 2021
@tobiasdiez tobiasdiez added p5: urgent For example breaking bugs affecting most users, should be released ASAP type: feature A completely new feature labels May 16, 2021
@tobiasdiez
Copy link
Member Author

tobiasdiez commented May 28, 2021
edited

Options are:

  • Authorization in resolver functions, manually calling a helper guard method
  • Authorization in service layer, manually calling a helper guard method
  • Authorization directives in graphql schema
  • Graphql shield: https://the-guild.dev/graphql/shield/docs
  • Authorization in resolver function, as typescript decorators, e.g.
@Before(isAuthorized)
@After(isOwner)
function getBlogPost() {...}

This is similar to the Authorized decoration of type graphql (but more flexible) and in spirit similar to https://github.com/boltsource/apollo-resolvers and https://github.com/lucasconstantino/graphql-resolvers and https://www.graphql-tools.com/docs/resolvers-composition which allow to compose resolvers as well. For rest, this is implemented here: https://tsed.io/docs/authentication.html#usage (see also https://github.com/tsedio/tsed/blob/master/packages/common/src/mvc/decorators/method/useAfter.ts) https://stackoverflow.com/questions/36349158/call-typescript-decorator-method-when-the-underlying-function-is-executed
Problem with this approach: resolver functions need to be methods in a class (otherwise we cannot apply decorators). Workaround: microsoft/TypeScript#7342
Implementation detail to ensure type checking: https://stackoverflow.com/questions/59992398/is-there-a-way-to-type-a-typescript-method-decorator-to-restrict-the-type-of-the and https://stackoverflow.com/questions/52961185/typescript-restrict-decorator-via-typedpropertydescriptor-on-decorator-factorie
Maybe worthwile to extract this to a new library graphql-compose.

Decision: try the typescript way, and if that doesn't work manually authorize requests in resolver functions (at least for now)

Reason:

  • Directives are not flexible enough
  • Shield has this additional permissions layer (which is nice) but there is no mechanism that ensures that this layer stays in sync with the schema. I also would like if the authorization requirements stay close to the resolvers.

References:

@tobiasdiez
Copy link
Member Author

First step toward this: #159

@tobiasdiez tobiasdiez linked a pull request Nov 16, 2022 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
p5: urgent For example breaking bugs affecting most users, should be released ASAP type: feature A completely new feature
Projects
No open projects
Minimal viable product
Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add authorization JabRef/JabRefOnline
1 participant
@tobiasdiez