npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

graphql-factory-acl

v0.1.4

Published

ACL Middleware for GraphQL Factory

Downloads

1

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vbrandenvbranden

Keywords

graphqlmiddlewareaclresolveauthauthnauthenticateauthentication

Readme

graphql-factory-acl

ACL Middleware/plugin for GraphQL Factory

About

A graphql-factory plugin that provides granular control over graphql operations as well as a graphql api for the acl library itself.

Example

import * as graphql from 'graphql'
import GraphQLFactory from 'graphql-factory'
import ACLPlugin from 'graphql-factory-acl'
import ACL from 'acl'
import jwt from 'jsonwebtoken'

// import a graphql-factory definition that has been
// tagged with _factoryACL
import definition from './definition'

const userId = 'admin@localhost'
const options = { secret: 'abc123' }
const acl = new ACL(new ACL.memoryBackend())
const plugin = new ACLPlugin(acl, options)
const factory = GraphQLFactory(graphql)
const lib = factory.make(definition, {
    plugin: [ plugin ]
})

const token = jwt.sign({ userId }, options.secret)

lib.Foo(`
    query BarQuery {
        readBar {
            baz
        }
    }
`, { jwt: token })
.then(result => {
    ...
})

Permissions

Tagging

Permissions are applied to an operation by adding them via the allow mutation (or directly with an acl instance) and tagging the query/mutation/subscription field with a _factoryACL tag who's value is the required permission for that operation.

{
  schemas: {
    Foo: {
      query: {
        fields: {
          Bar: {
            type: ['Baz'],
            resolve () {...},
            _factoryACL: 'read'
          }
        }
      }
    }
  }
}

Resource Path

Resource paths are how this plugin uniquely identifies a schema, operation type, field, argument, and/or selection. Resource paths can also be used to specify inherited permissions by ending the path with an * which indicates that the permission be applied to that path and everything below it.

For example

// gives the admin role access to all operations in the ACL schema
acl.allow('admin', 'ACL.*', '*')

// allow users role to read all properties of the hasRole query
acl.allow('users', 'ACL.query.hasRole.*', 'read')

// allow the dev role access to read and write only the
// baz field of the mutation Bar in the schema Foo
acl.allow('dev', [
  'Foo.mutation.Bar.args.baz',
  'Foo.mutation.Bar.selection.baz'
], '*')

Explicit deny paths aka !paths can also be allowed in order to explicitly deny access to a resource path

For example the following permissions would allow the helpdesk role complete access to the User schema but error on any selection of the password field. However setting the password is still possible since !User.mutation.createUser.args.password has not been allowed

acl.allow('helpdesk', [
  'User.*',
  '!User.mutation.createUser.selection.password',
  '!User.query.readUser.selection.password',
  '!User.subscription.subscribeUser.selection.password'
], '*')

Additionally the resource path * gives access to everything that is tagged with _factoryACL

Permissions

In general when securing a graphql api using the * permission is sufficient since the resource path itself contains information on what type of operation (mutation/query/subscription) is taking place. Named permissions can however be used to allow partial access to a schema.

For example if you wanted to allow users full access to the Foo schemas mutations except for the ability to delete things you can tag all mutations that delete with a delete permission and the rest with a write permission and use the following allow

acl.allow('users', 'Foo.mutations.*', 'write')

When the permission for delete is evaulated it will fail for the users role as expected. Of course an alternative is also to add an explicit deny with !Foo.mutations.deleteFoo.*

Authorization

JSON Web Tokens (jwt) are used for authorization. When setting up the plugin a secret option can be supplied and will be used during verification of any jwt provided in the rootValue.jwt property of the graphql request.

Additionally a systemApiKey option can be set and provided in rootValue.apikey in order to give unrestricted access. This can be useful for operations like subscriptions that run for extended periods of time and could potentially encounter and expired jwt. Or event for server side scheduled tasks that require calls to the graphql api.

JWT

JSON web tokens are used for authorization because they can be rotated and carry information in their payload. jwt should be generated by an authentication service that issues jwt signed with the same secret configured on the acl plugin.

payload

The payload MUST be an object with a userId field containing the requesting users id. If you wish to use a field other than userId (because your jwt service puts it in a different path) you can set the userIdField in the plugin options with a lodash compatible path string.

rotating secrets

The plugin verifies every jwt on each request and looks up the current secret during that process. This is why the secret value is intentionally stored in the plugin options object. This way you can keep a reference to the options object in your main project and simply update the secret field.

Additionally, when setting up a new ACL database or during development you may wish to bypass ACL authentication. To bypass all ACL checks simply do not set a secret in the options. This can be useful when setting up a new admin user with access to the ACL api to set up future permissions. Additionally a helper method createAdmin has been provided to add complete access to the ACL schema.

API

ACLPlugin (acl:Acl, options:Object)

Creates a new acl plugin

Parameters

  • acl - An acl instance initialized with a backend
  • options
    • [schemaName=ACL] {string} - Customizable graphql schema name
    • [secret] {string} - Secret to use when signing jsonwebtokens. If omitted no acl rules will be evaluated (should only be omitted during dev or initial setup)
    • [systemUserId] {string} - Optional userId that will not be checked against acl rules and will have unrestricted access to all graphql schemas.
    • [systemApiKey] { string } - Optional system apikey for unrestricted access. must be passed in the rootValue.apikey property.

GraphQL API

The plugin provides a complete graphql api for the acl library and adds additional shortcut/helper methods for managing permissions on graphql resources. The original acl documentation is a good place to start for understanding the acl API.

Please refer to the ACL Schema Definition for included query/mutations. Additional operations added are

  • queries
    • listUsers - provides a list of users
  • mutations
    • allowUserId - same as allow except allows a specific userId
    • removeAllowUserId - same as removeAllow except it removes permissions for a specific userId
    • allowGraphQL - constructs a graphql resource path and allows access to it
    • removeAllowGraphQL - constructs a graphql resource path and removes access to it