Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authentication/Authorization for default resolvers

See original GitHub issue

Hi, I read the description on how to use @login_required and other decorators with resolvers. However, if one is not using explicit resolvers (instead using default ones), how can one enforce similar access controls?

In my case, I am using graphene with the Django User model. I have the following:

class UserNode(DjangoObjectType):
    class Meta:
        model = User
        filter_fields = ['first_name', 'last_name', 'id', 'email']
        interfaces = (Node, )

class Query(object):
    userNode = relay.Node.Field(UserNode)
    all_users = DjangoConnectionField(UserNode)

If I explicitly define a ‘resolve_all_users’ method and use the @login_required decorator on it, it works fine. But this (and other objects) in my schema are relying on default resolvers. How can I protect them without having to define resolvers explicitly?

I admit to being a novice in the use of graphene/graphql…and any help pointing me in the right direction is much appreciated.

Issue Analytics

State:
Created 5 years ago
Reactions:4
Comments:8 (2 by maintainers)

Top GitHub Comments

3reactions

ytmimicommented, Nov 9, 2018

@amreshprasad @AlonsoEnrique, Heres one way to ensure all fields for a given ObjectType are restricted to authenticated users.

If you take a look at where DjangoObjectType is defined in the source code you see that DjangoObjectType inherits from ObjectType. One of the Meta attributes for ObjectType is default_resolver.

Just so you know, here’s how Graphene defines its default resolver:

def attr_resolver(attname, default_value, root, info, **args):
     return getattr(root, attname, default_value)

Reading the decorator docs explains that login_required just checks that the current user is logged in (or authenticated).

Also, important to note: info.context is our Django request object.

Putting that all together we can define a custom resolver and apply it to our DjangoObjectType.

from graphql_jwt.exceptions import PermissionDenied

def auth_resolver(attname, default_value, root, info, **args):
    if info.context.user.is_authenticated:
        return getattr(root, attname, default_value)
    raise PermissionDenied()

class UserNode(DjangoObjectType):
    class Meta:
        model = User
        filter_fields = ['first_name', 'last_name', 'id', 'email']
        interfaces = (Node, )
        default_resolver = auth_resolver

As long as you set up django-graphql-jwt correctly, passing in a valid token will set the user object in info.context, and this method should work.

1reaction

mongkokcommented, Sep 27, 2018

Hi @amreshprasad , Good suggestion but I do not think it corresponds to this package.

django-graphql-jwt provides a user authentication system using JWT but not a permission system for Graphene.

Django comes with one authentication system and should also be able to define permissions on resolvers.

Top Results From Across the Web

Authentication and authorization - Apollo GraphQL Docs

Authentication is determining whether a given user is logged in, and subsequently determining which user someone is. Authorization is then determining what ...

3 ways for authorization with GraphQL and Apollo

We will have a look at resolver-based access control, implementing an authorization directive and use a permission library called GraphQL Shield ...

Authorization and Authentication in GraphQL - Carbon Five Blog

The auth-service uses JWT to generate a token that contains the id and roles of the authenticated user and that can be handed...

Authorization and authentication - AWS AppSync

Learn about authentication and authorization in AWS AppSync. ... AWS_LAMBDA , or AWS_IAM as the main or default authorization type, you can't specify...

Deep dive on authentication, authorization and RBAC for ...

Our aim is to implement an @auth schema directive to perform authorization on a field before our query is executed by its resolvers....