GraphQLBundle icon indicating copy to clipboard operation
GraphQLBundle copied to clipboard

Published 20 hours ago verified publisher icon youshido-php

Security Token

Open zerlpaMMT opened this issue 6 years ago • 2 comments

Hi,

is there any possibility to get the token into the resolve function of a type? https://graphql.org/learn/authorization/ says that accessibility control for some kind of data should be in the business logic layer.

kind regards.

zerlpaMMT avatar Apr 28 '18 17:04 zerlpaMMT

@zerlpaMMT did you find a solution to this? It seems that (in Symfony 4) the result of container[...]->get('security.token_storage')->getToken()->getUser() returns 'anon.' instead of the currently logged in user. Therefore, using symfony.authorization_checker->isGranted() inside fields/mutations does not seem to work like you would expect.

This happens when following the comments in #68, with the following in services.yaml:

graphql.processor:
        public: true
        class: Youshido\GraphQLBundle\Execution\Processor
        arguments:
            $executionContext: '@graphql.execution_context'
        calls:
            - [setSecurityManager, ['@graphql.security_manager']]

mwarnaar avatar Jun 27 '18 13:06 mwarnaar

It turned out that it was a missing Apollo client setting. In front-end javascript, passing credentials: 'same-origin' with createHttpLink did the trick for session-based authentication (https://www.apollographql.com/docs/react/recipes/authentication.html). Might not be related to this issue, but this could help you in the right direction.

mwarnaar avatar Jun 27 '18 18:06 mwarnaar