Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

If fallbackRule is defined, it ignores the other rules

See original GitHub issue

Bug report

I just tried to set the fallbackRule to deny. The problem is, when this is set, even if the other rules pass, the server gives a Not authorized error.

This is my GraphQL Schema.

type Branch {
  id: ID!
  name: String
}

type Query {
  branch(where: BranchWhereUniqueInput!): Branch
  branches(
    where: BranchWhereInput
    orderBy: BranchOrderByInput
    skip: Int
    after: String
    before: String
    first: Int
    last: Int
  ): [Branch]!
}

This is the invoked query

query {
  restaurant(where: { id: "_" }) {
    id
  }
}

I use these permissions

const isAuthenticated = rule({ cache: 'no_cache' })(async (parent, args, ctx) => {
  console.log(ctx.user);
  return ctx.user !== null;
});

const permissions = shield(
  {
    Query: {
      branches: isAuthenticated,
      branch: isAuthenticated,
    },
  },
  {
    fallbackRule: allow,
    graphiql: true
  }
);

This is the error I see

Error: Not Authorised!

Expected behaviour

The user is coming to the isAuthenticated method. But if fallbackRule is defined, the isAuthenticated method runs and the user gets console logged. But it still returns Error: Not Authorised!. If I remove fallbackRule or set it to allow, the query runs without issue and also blocks if the user is actually not there.

Actual behaviour

The fallbackRule should be executed only if there are no rules set for the query.

Issue Analytics

State:
Created 5 years ago
Reactions:3
Comments:14

Top GitHub Comments

10reactions

ph55commented, Jan 10, 2019

Make sure response type also allowed.

Example:

type Mutation {
  login(input: LoginInput!): LoginResponse
}

Not enough for login whitelist:

shield({ Mutation: { login: allow } }, { fallbackRule: deny })

Should be:

shield({ Mutation: { login: allow }, LoginResponse: allow }, { fallbackRule: deny })

Or just add custom fallbackRule and allow fields:

In following example, deny queries and mutations which have no rules but allow types and fields. So once you have rule that allows Query or Mutation you don’t have to add rule for returned type and (or) it’s fields.

const shieldFallback = async (parent, args, ctx, info) => {
    switch (info.parentType.name) {
      // queries
      case 'Query':
        return false;
      // mutations
      case 'Mutation':
        return false;
      // returned types and it's fields
      default:
        return true;
    }
};
const fallbackRule = rule({ cache: false })(shieldFallback);

const ruleTree = { Query: {}, Mutation: {} };
const permissions = shield(ruleTree, { fallbackRule });

You can play further with fallback for your needs.

2reactions

maticzavcommented, Feb 26, 2019

#300

Top Results From Across the Web

If fallbackRule is defined, it ignores the other rules #211 - GitHub

I just tried to set the fallbackRule to deny . The problem is, when this is set, even if the other rules pass,...

"Fallback" rule in Webpack config - Stack Overflow

I have tried specifying a rule in last position with a very permissive test: , however it seems to take precedence regardless of...

FALLBACK Rule - TechDocs - Broadcom Inc.

Use the FALLBACK rule to enable a user or group to use (or be denied use of) the LOGON ... Defines the set...

base rule - definition - Pega Community

The base rule supporting a circumstance-qualified rule or time-qualified rule is the fallback rule that is selected by rule resolution when the circumstances...

Shield - GraphQL Code Generator

A rule map must match your schema definition. You should create a collection of rules that you use in your map to define...