graphql
graphql copied to clipboard
Dynamic array params in auth directive not working
Describe the bug On a multi-tenant app one user can be able to get data from multiple tenants, if they have access to them. [f.eg] having a user who has access to 2 tenants, the jwt looks like .
Type definitions
schema.graphql
...
const jwt = {
id: 1234,
roles: ['manager'],
tenants: [
{ tenant: { id: '1234' } },
{ tenant: { id: '4325' } }
]
};
return {req, jwt};
When the JWT has array of object as input to auth directive , the value never get resolved in the schema.
graphql.js
"""
A PriceCard
"""
type PriceCard
@auth(
rules: [
{
operations: [READ]
roles: ['manager']
allow: { OR: "$jwt.tenants" }
}
]
) {
id: ID! @id
status: Status!
tenant: Tenant! @relationship(type: "PRICECARD_OWNER", direction: OUT)
}
** Error **
stacktrace
:
["TypeError: value.forEach is not a function",…]
0: "TypeError: value.forEach is not a function"
1: " at Object.entries.reduce.params (/Users/xxxxxxxxxX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:80:34)"
2:" at Array.reduce (<anonymous>)"
3: " at createAuthPredicate (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:75:54)"
4: " at createSubPredicate (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:232:36)"
5: " at authRules.reduce.strs (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:310:32)"
6: " at Array.reduce (<anonymous>)"
7: " at createAuthAndParams (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:308:37)"
8: " at translateRead (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/translate-read.ts:122:47)"
9: " at resolve (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/schema/resolvers/query/read.ts:31:47)"
10: " at Object.priceCards (/Users/XXXXXXXX/office/node_modules/@neo4j/graphql/src/schema/resolvers/wrapper.ts:89:16)"
Expected behavior if the value of allow is replaced to hard coded values like f.eg
"""
A PriceCard
"""
type PriceCard
@auth(
rules: [
{
operations: [READ]
allow: { OR: [ {tenant:{id: "1234"}}, {tenant: { id: "4325"}} ] }
}
]
) {
id: ID! @id
status: Status!
tenant: Tenant! @relationship(type: "PRICECARD_OWNER", direction: OUT)
}
it works fine.
System (please complete the following information):
- OS: macOS
- Version: @neo4j/[email protected]
- Node.js version: v14.19.1
Many thanks for raising this bug report @johnykifle. :bug: We will now attempt to reproduce the bug based on the steps you have provided.
Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:
- Type definitions
- Resolvers
- Query and/or Mutation (or multiple) needed to reproduce
If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket.
Thanks again! :pray: