graphql-platform icon indicating copy to clipboard operation
graphql-platform copied to clipboard
verified publisher icon ChilliCream

Support "BeforeResolver" authorization on subscriptions

Open samisq opened this issue 2 years ago • 3 comments

Product

Hot Chocolate

Is your feature request related to a problem?

We would like to be able to enforce authorization on subscriptions, when the client is subscribing to the subscription endpoint. We would also like to use the arguments from the subscription request to make authorization decisions. Currently, when using Authorize attribute with ApplyPolicy.BeforeResolver on subscriptions, the authorization policy doesn't get invoked on-subscribe. If we use ApplyPolicy.Validation , the authorization policy would be invoked on-subscribe. But, in that case, we don't have full context of the arguments within the authorization handler, as the authorization resource is AuthorizationContext (as opposed to IResolverContext), which contains DocumentNode and no way to access the arguments. In the example below, I'd like to use bookId in my AspNet authorization handler, to make authorization decision.

[SubscriptionType]
public class Subscriptions
{
    [Subscribe]
    [HotChocolate.Authorization.Authorize("MyPolicy", ApplyPolicy.BeforeResolver)] // <--- Authorization policy doesn't get invoked when "BeforeResolver" is used
    public Book BookUpdated(int bookId, [EventMessage] Book book) => book;
}

The solution you'd like

Support "BeforeResolver" authorization on subscriptions, so that authorization handler can access IResolverContext, and by extension, graphql arguments, to make authorization decisions.

samisq avatar Jun 13 '23 18:06 samisq

Is there an indicative ETA for when this will be supported?

MattStannettEP avatar Apr 18 '24 05:04 MattStannettEP

This issue is on the backlog and will soon picked. The release horizon will be 14.1

michaelstaib avatar Aug 14 '24 08:08 michaelstaib