Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authorization and Permission Handling

See original GitHub issue

We’re going to move the auth logic into a separate file which will be easier for people to add their own custom auth logic to. We also need to add permission handling here, though we’re not sure on the best way to do permission verification w/ GraphQL.

Perhaps each resolve function for collections include required permissions and those are passed into the authorize method, like this: authorize(token, requiredPermissions). The JWToken can contain permissions within it. These will be checked against the permissions hardcoded in each resolve function via an authorize method.

Do you have any thoughts on this?

cc @pmuens @minibikini @eahefnawy @breandr

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:10 (6 by maintainers)

github_iconTop GitHub Comments

4reactions
brettstackcommented, Mar 31, 2016

Something like this?

//authorize.js
function authorize(jwt, requiredPermissions) {
    if(/*jwt contains requiredPermissions*/) {
        return Promise.resolve()
    }

    return Promise.reject(/*[missingPermissions]*/)
}

//users/queries.js
resolve: (source, {jwt, username}) => authorize(jwt, ['GET_USER']).then(() => get(username))

Is there somewhere higher up we can do auth so that we don’t need to add the authorize(jwt, ['GET_USER']).then(() => boilerplate to each resolve? Instead if we could add requiredPermissions: ['GET_USER'] on the query object… But my knowledge of GraphQL fails me.

1reaction
eahefnawycommented, Apr 1, 2016

Good thoughts! So what that would mean is that the createUser function will add a permissions array to the user dynamoDB record based on the role that is provided by the query (when you sign up you’ll choose whether to be an admin or not…maybe?), and the loginUser function will take that record and inject it in the jwt token.

I guess that makes sense.

Read more comments on GitHub >

github_iconTop Results From Across the Web

What is Authorization? - Examples and definition - Auth0
Authorization is the process of giving someone the ability to access a resource. Of course, this definition may sound obscure, but many situations...
Read more >
Giving and receiving authorization and permission
Today our topic is authorization and permission management. The three As of security are: Authentication, Authorization and Audit.
Read more >
Security: User roles, accounts, and permissions - IBM
After an identity is authenticated, authorization is the process of determining who is allowed to do what. Authorization is accomplished by assigning permission...
Read more >
Permission-Based Authorization in ASP.NET Core
Let's implement Permission-Based Authorization in ASP.NET Core that builds upon the concept of Claim-Based Authorization in ASP.NET Core.
Read more >
Handling Authorization separately in Server and Client - Medium
We need to decide which user has permission to do what. It basically provides a access control over the available resources in the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Expose GraphQL schema from GET endpoint

Next page

Unable to run functions in any other namespace than default