spring-graphql Add Security Schema Directives Support

when using querydsl to generate queries, those don't have code can't using annotations to secure. and graphql doesn't have routes, it can not be configured by security api.

Aug 26 '21 09:08 Diluka

Can you help me understand what you mean?

Nov 02 '21 15:11 rwinch

Could this be related to supporting ˋ@auth` directives at the schema level as shown in the GraphQL Java docs?

Possibly related to #177

Nov 02 '21 18:11 bclozel

Thank you @bclozel. That helps quite a bit.

Nov 02 '21 18:11 rwinch

@rwinch for example

type Book {
 name:String
 secret:String @Secured # <-- security server directive
}




query {
 books{
  name
  secret # <-- maybe throw forbidden error
 }
}

Nov 09 '21 03:11 Diluka

@Diluka since you bring this up in the context of querydsl, not sure if you've considered it already, but there is an option to apply security to Spring Data repositories, as shown in this example.

Nov 18 '21 09:11 rstoyanchev

how about background jobs, they are no auth context, can not use those methods with security

Nov 18 '21 09:11 Diluka

Not sure I follow. What is a background job, in the context of a GraphQL request?

Nov 18 '21 10:11 rstoyanchev

I mean repo method maybe use in other context

Nov 19 '21 05:11 Diluka

I've put together a prototype of Spring Security support that demonstrates how this could work https://github.com/rwinch/spring-graphql/tree/gh-116-security-schema-directive. For now the code is entirely placed in the webflux-security sample to make trying the support easier.

I'm still thinking about what all should be supported. Right now either @auth(role : "ADMIN") or @auth(authority : "ROLE_ADMIN") are supported. I think we should look into supporting other concepts like authenticated.

If you have the opportunity, please give this a try and let me know if it is what you had in mind.

Feb 09 '22 21:02 rwinch