graphql icon indicating copy to clipboard operation
graphql copied to clipboard

Published 20 hours ago verified publisher icon neo4j

Dynamic array params in auth directive not working

Open johnykifle opened this issue 1 year ago • 1 comments

Describe the bug On a multi-tenant app one user can be able to get data from multiple tenants, if they have access to them. [f.eg] having a user who has access to 2 tenants, the jwt looks like .

Type definitions schema.graphql

...
const jwt = {
                       id: 1234,
                       roles: ['manager'],
                       tenants: [
                               { tenant: { id: '1234' } },
                               { tenant: { id: '4325' } }
                             ]
                   }; 

return {req, jwt};

When the JWT has array of object as input to auth directive , the value never get resolved in the schema.

graphql.js

"""
A PriceCard
"""
type PriceCard
    @auth(
        rules: [
            {
                operations: [READ]
                roles: ['manager']
                allow: { OR: "$jwt.tenants" }
            }
        ]
    ) {
    id: ID! @id
    status: Status!
    tenant: Tenant! @relationship(type: "PRICECARD_OWNER", direction: OUT)
    
}

** Error **

stacktrace
: 
["TypeError: value.forEach is not a function",…]
0: "TypeError: value.forEach is not a function"
1: "    at Object.entries.reduce.params (/Users/xxxxxxxxxX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:80:34)"
2:"    at Array.reduce (<anonymous>)"
3: "    at createAuthPredicate (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:75:54)"
4: "    at createSubPredicate (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:232:36)"
5: "    at authRules.reduce.strs (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:310:32)"
6: "    at Array.reduce (<anonymous>)"
7: "    at createAuthAndParams (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:308:37)"
8: "    at translateRead (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/translate-read.ts:122:47)"
9: "    at resolve (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/schema/resolvers/query/read.ts:31:47)"
10: "    at Object.priceCards (/Users/XXXXXXXX/office/node_modules/@neo4j/graphql/src/schema/resolvers/wrapper.ts:89:16)"

Expected behavior if the value of allow is replaced to hard coded values like f.eg

"""
A PriceCard
"""
type PriceCard
    @auth(
        rules: [
            {
                operations: [READ]
                allow: { OR: [ {tenant:{id: "1234"}}, {tenant: { id: "4325"}} ] }
            }
        ]
    ) {
    id: ID! @id
    status: Status!
    tenant: Tenant! @relationship(type: "PRICECARD_OWNER", direction: OUT)
    
}

it works fine.

System (please complete the following information):

johnykifle avatar Oct 11 '22 11:10 johnykifle

Many thanks for raising this bug report @johnykifle. :bug: We will now attempt to reproduce the bug based on the steps you have provided.

Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:

  • Type definitions
  • Resolvers
  • Query and/or Mutation (or multiple) needed to reproduce

If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket.

Thanks again! :pray:

neo4j-team-graphql avatar Oct 11 '22 11:10 neo4j-team-graphql