Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Question: How do you recommend enforcing authorization?

See original GitHub issue

Hello,

I’d like to systematically enforce authorization for nodes and individual fields within the nodes.

Conceptually something like this might work:

class MyNode(AuthZSQLAlchemyObjectType):
    class Meta:
        model = MyModel
        authorize_node_function = node_authorizer
        field_auth = dict(
              "name": all_authorizer,
              "private_things": self_only_authorizer,
       )

node_authorizer(model_instance) would get called whenever a new Node of that type is created. Only fields in the field_auth dict would be exposed in node, and then the associated function would be called like resolve_authorizer(model_instance, field_name)

Any opinions on the best way to achieve this?

Issue Analytics

State:
Created 4 years ago
Comments:5

Top GitHub Comments

1reaction

duboisj-illuminatecommented, Feb 3, 2021

This is somewhat old but still open. Has there been any additional development to support this in graphene-sqlalchemy, or are there authorization patterns the community has settled on as workable?

1reaction

hoffrocketcommented, Mar 27, 2019

Thanks @Nabellaleen Those approaches seem inline with what we’d like to do.

Our goals:

prevent new columns added to a SQLAlchemy model from leaking into the GraphQL schema (by enforcing use of only_fields like whitelist)
associate a role or auth function with each column to enforce authorization rules at query time
associate a role or auth function with the Node itself to catch things like id and custom fields that are not in the list of columns

We had been solving these concerns by being using only_fields on every Node and then overriding the resolve methods for columns where we need authorization controls. But that has become cumbersome and error prone. We have a lot of boilerplate code that looks like this:

class OurNode(SQLAlchemyObjectType):
    class Meta:
       only_fields = ("name", "created_at",...)
    
    @self_or_staff_required
    def resolve_name(self, info):
        return self.name

    @staff_required
    def resolve_created_at(self, info):
        return self.created_at

I’ve been experimenting with the concept above and it’s pretty similar to what @dfee suggests here https://github.com/graphql-python/graphene-django/issues/79#issuecomment-306583068

It seems to work, and I wonder if we can get some consensus around an approach that could be pushed upstream and be generally useful.

One fundamental challenge to overcome in this community is that graphene-django is basically a superset and fork of graphene-sqlalchemy.

Top Results From Across the Web

How to properly enforce authorization | by Security Lit Limited

Due to the frightening consequences that it can have, it becomes extremely important to enforce Authorization Properly.

Authorization - OWASP Cheat Sheet Series

Failure to enforce least privileges in an application can jeopardize the confidentiality ... Thoroughly Review the Authorization Logic of Chosen Tools and ...

What is Authorization? - Oso

Authorization is the mechanism for controlling who can do what in an application. It's how you make sure users have access to their...

Best practices for REST API security: Authentication and ...

There are three reasons you might find yourself writing a REST API ... Choose when to enforce authorization with request-level authorization.

Authentication vs. Authorization: What's the Difference?

Unfortunately, people often use both terms interchangeably as they both refer to system access. However, they are distinct processes. Simply put, one verifies ......