JabRefOnline icon indicating copy to clipboard operation
JabRefOnline copied to clipboard

Published 20 hours ago verified publisher icon JabRef

Add authorization

Open tobiasdiez opened this issue 4 years ago • 2 comments

  • https://github.com/maticzav/graphql-shield
  • https://jkettmann.com/authorization-with-graphql-and-custom-directives
  • https://jkettmann.com/3-ways-for-authorization-with-graphql-and-apollo
  • https://www.apollographql.com/docs/apollo-server/security/authentication/

Also add common features like sending registration email etc. Following might be helpful:

  • https://github.com/Volst/graphql-authentication

tobiasdiez avatar Mar 08 '21 14:03 tobiasdiez

Options are:

  • Authorization in resolver functions, manually calling a helper guard method
  • Authorization in service layer, manually calling a helper guard method
  • Authorization directives in graphql schema
  • Graphql shield: https://the-guild.dev/graphql/shield/docs
  • Authorization in resolver function, as typescript decorators, e.g.
@Before(isAuthorized)
@After(isOwner)
function getBlogPost() {...}

This is similar to the Authorized decoration of type graphql (but more flexible) and in spirit similar to https://github.com/boltsource/apollo-resolvers and https://github.com/lucasconstantino/graphql-resolvers and https://www.graphql-tools.com/docs/resolvers-composition which allow to compose resolvers as well. For rest, this is implemented here: https://tsed.io/docs/authentication.html#usage (see also https://github.com/tsedio/tsed/blob/master/packages/common/src/mvc/decorators/method/useAfter.ts) https://stackoverflow.com/questions/36349158/call-typescript-decorator-method-when-the-underlying-function-is-executed Problem with this approach: resolver functions need to be methods in a class (otherwise we cannot apply decorators). Workaround: https://github.com/microsoft/TypeScript/issues/7342 Implementation detail to ensure type checking: https://stackoverflow.com/questions/59992398/is-there-a-way-to-type-a-typescript-method-decorator-to-restrict-the-type-of-the and https://stackoverflow.com/questions/52961185/typescript-restrict-decorator-via-typedpropertydescriptor-on-decorator-factorie Maybe worthwile to extract this to a new library graphql-compose.

Decision: try the typescript way, and if that doesn't work manually authorize requests in resolver functions (at least for now)

Reason:

  • Directives are not flexible enough
  • Shield has this additional permissions layer (which is nice) but there is no mechanism that ensures that this layer stays in sync with the schema. I also would like if the authorization requirements stay close to the resolvers.

References:

  • https://github.com/dimatill/graphql-shield/blob/bddd7b2ab6089a36638aec9fe39e85533246d6a0/packages/graphql-shield/src/rules.ts
  • https://github.com/dimatill/graphql-shield/blob/bddd7b2ab6089a36638aec9fe39e85533246d6a0/packages/graphql-shield/src/generator.ts#L67

tobiasdiez avatar May 28 '21 21:05 tobiasdiez

First step toward this: https://github.com/JabRef/JabRefOnline/pull/159

tobiasdiez avatar May 30 '21 21:05 tobiasdiez