npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

graphql-auth-user-directives

v2.4.4

Published

Add authorization to your GraphQL API using schema directives.

Downloads

28

Readme

graphql-auth-user-directives

Add authentication to your GraphQL API with schema directives. Provides options for improved managing of permissions, also for non-authenticated users, and manages conditional permission performing Neo4j lookups based on user defined queries.

Schema directives for authorization

  • [ ] @isAuthenticated
  • [ ] @hasRole
  • [ ] @hasScope

Quick start

npm install --save graphql-auth-user-directives

Then import the schema directives you'd like to use and attach them during your GraphQL schema construction. For example using neo4j-graphql.js' makeAugmentedSchema:

import { IsAuthenticatedDirective, HasRoleDirective, HasScopeDirective } from "graphql-auth-user-directives";

const augmentedSchema = makeAugmentedSchema({
  typeDefs,
  schemaDirectives: {
    isAuthenticated: IsAuthenticatedDirective,
    hasRole: HasRoleDirective,
    hasScope: HasScopeDirective
  }
});

The @hasRole, @hasScope, and @isAuthenticated directives will now be available for use in your GraphQL schema:

type Query {
    userById(userId: ID!): User @hasScope(scopes: ["User:Read"])
    itemById(itemId: ID!): Item @hasScope(scopes: ["Item:Read"])
}

Be sure to inject the request headers into the GraphQL resolver context. For example, with Apollo Server:

const server = new ApolloServer({
  schema,
  context: ({ req }) => {
    return req;
  }
});

In the case that the token was decoded without errors the context.user will store the payload from the token, that is, you could for example create a Query me with the following resolver:

me: (parent, args, context) => {
      console.log(context.user.id);
}

A JWT must then be included in each GraphQL request in the Authorization header. For example, with Apollo Client:

import { createHttpLink } from 'apollo-link-http';
import { setContext } from 'apollo-link-context';
import { InMemoryCache } from 'apollo-cache-inmemory';
import { ApolloClient } from 'apollo-client';


const httpLink = createHttpLink({
    uri: <YOUR_GRAPHQL_API_URI>
});

const authLink = setContext((_, { headers }) => {
    const token = localStorage.getItem('id_token'); // here we are storing the JWT in localStorage
    return {
        headers: {
            ...headers,
            authorization: token ? `Bearer ${token}` : "",
        }
    }
});

const client = new ApolloClient({
    link: authLink.concat(httpLink),
    cache: new InMemoryCache()
});

If all is set up correctly you should be able to use the directives and resolvers that use any of these directives the roles and/or permissions will be attached to the user which is provided in the context.

Configure

Setting the authorization header name

By default the package looks at the header name 'authorization' (capital letter sensitive). However you may specify the environment variable AUTHORIZATION_HEADER allowing for example for a header name like 'Application-Authorization', i.e.

export AUTHORIZATION_HEADER=Aplication-Authorization 

Setting the JWT token (required)

There are two variables to control how tokens are processed. If you would like the server to verify the tokens used in a request, you must provide the secret used to encode the token in the JWT_SECRET variable. Otherwise you will need to set JWT_NO_VERIFY to true.

export JWT_NO_VERIFY=true //Server does not have the secret, but will need to decode tokens

or

export JWT_SECRET=><YOUR_JWT_SECRET_KEY_HERE> //Server has the secret and will verify authenticity

JSON based scopes (optional)

You might provide scopes directly to the encoded user. However you may also control the scopes of a role within your backend, changing it with a mere change of an environmental variable. With this approach you do not depend on another system to refresh scopes.
To do so you need to define a JSON specified file, e.g.

{
  "role1": ["resource1:action1", "resource2:action2"],
  "role2": ["resource3:action3", "resource4:action4"]
}

Assuming your user has a provided role, this package will determine the corresponding permissions. To insert this JSON file you'll need to base64 encode it to add is as an environment variable, e.g.

export PERMISSIONS=ewogICJyb2xlMSI6IFsicmVzb3VyY2UxOmFjdGlvbjEiLCAicmVzb3VyY2UyOmFjdGlvbjIiXSwKICAicm9sZTIiOiBbInJlc291cmNlMzphY3Rpb24zIiwgInJlc291cmNlNDphY3Rpb240Il0KfQ==

Note that a user might have multiple roles, in this case all permissions of the corresponding roles will be concatenated, providing the expected results.
Furthermore, if you work with such permission JSON you can provide a default user, e.g. the role that will be applied if authentication fails. Specify the user in your JSON and provide the name of the role as an environment variable, e.g.:

export DEFAULT_ROLE=visitor

This option allows you to specify a clear set of permissions for non-authenticated users.
Finally, in some cases the roles and or scopes in the decoded user object may come with an url such as https://grandstack.io/roles and https://grandstack.io/scopes, you can map these to roles and scopes respectively in your final user by providing the meta names comma separated, e.g.

export USER_METAS="roles,scopes"

Conditional permissions (optional)

This package includes a conditional based authorisation functionality, for example: a mutation may have the scope object: edit, however you only wish some user to provide access if he/she is the owner of this object, the scope for this user might be object: edit: isOwner (this is also the way to define such permission, using another : and specifying the condition, however you'd like to name it).
What you need to do is configure a query that is needed to check on whether this user is the owner.

import { conditionalQueryMap } from 'graphql-auth-user-directives';

conditionalQueryMap.set(
    "object:isOwner",
    (user, objectId) => { return `
    MATCH path=(a:Object {uid: "${objectId}"})<-[:OWNS]-(u:User {uid:"${user.uid}"})
    WITH CASE WHEN path IS NULL THEN false ELSE true END as is_allowed
    ` }
);

Three things are important to note:

  1. The key used to set the map is set the name of the object (in this example object), and the condition (in this case isOwner) separated by a :.
  2. You should end the Cypher query with a WITH statement that defines a variable called is_allowed.
  3. The function defined returns a string (the query used to perform the permission lookup in Neo4j) and it gets two input arguments, the user as it is decoded and the objectId which is strongly related to the object itself. See the next part on the object identifier.

The conditional permissions do not have to be specified in the schema, if one defines @hasScope(scopes: ["object: edit"] for a query or mutation, then if the user has a the permission object: edit: someCondition then this condition will be verified by default.

Defining the Object identifier

This object id is extracted from the provided parameters in Apollo. Usually it will be id or uid. By default we provide preference for id followed by uid. You can change this by setting the environment variable OBJECT_IDENTIFIER. By default it is thus set to the string "id", "uid".

Separately checking conditional permissions

You may want to verify conditional permissions separately, e.g. to check whether the frontend should present a piece of code. Therefore you can now call the conditional permission check function:

// Example of how this function could be used in a Query
import { satisfiesConditionalScopes } from "graphql-auth-user-directives";

exports.resolver = {
    Query: {
        checkConditionalPermission: async (obj, params, ctx, resolveInfo) => {
            // (optional) First check if scopes are defined for the user
            const userScopes = ctx.user && ctx.user.scopes;
            if(userScopes == null){
                throw new UserInputError("You have no scopes and therefore no access");
            }

            // params.scopes contains the array of conditional scopes that should be checked.
            return await satisfiesConditionalScopes(
                ctx.driver, params.scopes, userScopes, ctx.user, params.objectId
            );
        }
    }
}

Note that it is a more trivial exercise to verify non-conditional scopes for this is merely a direct lookup in the scopes of the user. Therefore this is not expected to be required to be exported.

Running Tests Locally

You'll need to set node 13 or higher (due to the triple dot operator).

nvm use 13

Then run the tests by performing

yarn test

The JWT secret, permissions and metas required for testing are all defined in the .env file.