Authorization in the GraphQL era

AUTH IN THE GraphQL ERA

Don't talk with me, I'm a picture!

evilmartians.com

TATARSTAN

Authorization 90 % GraphQL 10 % Buzzwords   of  
GraphQL 100 % How do I see my talk What do people expect

https://book.productionreadygraphql.com/

GraphQL Auth through the prism of RESTful Auth

Standard Rails App DB UsersController PostsController GET /users POST /users
ImagesController ... GET /posts/:id PUT /posts/:id ... GET /images POST /images ... ... BUSINESS LOGIC LAYER

ImagesController ... GET /posts/:id PUT /posts/:id ... GET /images POST /images ... ... BUSINESS LOGIC LAYER User

ImagesController ... GET /posts/:id PUT /posts/:id ... GET /images POST /images ... ... BUSINESS LOGIC LAYER Data

ImagesController ... GET /posts/:id PUT /posts/:id ... GET /images POST /images ... ... BUSINESS LOGIC LAYER RESTFul

Rails DHH way it's me

Standard* Rails App DB UsersController PostsController GET /users POST /users
ImagesController ... GET /posts/:id PUT /posts/:id ... GET /images POST /images ... ... BUSINESS LOGIC LAYER *ACCESS CONTROL  LAYER RESTFul

REST\RESTfull is a software architectural style that deﬁnes a set
of constraints to be used for creating web services (c) Wikipedia

GraphQL is a query language for APIs and a runtime
for fulﬁlling those queries with your existing data.

DB GraphqlController POST /graphql BUSINESS LOGIC LAYER GraphQL Rails App
GRAPHQL INTERNALS

GRAPHQL INTERNALS User Data

GRAPHQL INTERNALS ???

GraphqlControll#execute class GraphqlControll < ApplicationController!::Base def execute query = params[:query]
result = AppSchema.execute(query, params: params) render json: result end end

GraphQL Internals

AppSchema#execute(q, p) GraphQL Internals GraphqlController POST /graphql

AppSchema#execute(q, p) Types-- Mutations-- GraphQL Internals GraphqlController POST /graphql *R**
C*UD

AppSchema#execute(q, p) GraphQL Internals Types-- Mutations-- POST /graphql TagType UserType
PostType ImageType ProﬁleType CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController

When You Read First Pages of GraphQL Documentation

*ACCESS CONTROL  LAYER DB GraphqlController POST /graphql BUSINESS LOGIC LAYER
GraphQL* Rails App GRAPHQL ENGINE

Authentication before authorization

Authentication WHO IS WHO? Homer#0 Homer#1 Homer#2 Homer#3

Authentication Auth Framework User Model Crypto Layer Helpers (e.g. emails)
... (e.g. devise) GraphQL RESTfull ? How to use Framework ?

AppSchema#execute Login\Logout? Types-- Mutations-- POST /graphql TagType UserType PostType ImageType
ProﬁleType CommentType LoginUser LogoutUser UpdateProﬁleMutation GraphqlController

ProﬁleType CommentType LoginUser LogoutUser UpdateProﬁleMutation GraphqlController # NOT NECESSARY

ProﬁleType CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController GOOD [DeviseControllers]

class GraphqlControll < ApplicationController!::Base def execute query = params[:query] context
= {current_user: get_user_from_api_token} result = AppSchema.execute(query, context: context) render json: result end end GraphqlControll#execute

UsersController PostsController POST /users ImagesController ... GET /posts/:id PUT /posts/:id
... GET /images POST /images ... *ACCESS CONTROL  LAYER GET /users Ensuring Authentication

before_action :authenticate_user! UsersController PostsController POST /users ImagesController ... GET /posts/:id
PUT /posts/:id ... GET /images POST /images ... *ACCESS CONTROL  LAYER GET /users

AppSchema#execute The One Entrypoint Types-- Mutations-- POST /graphql TagType UserType

Welcome graphql-ruby! ⭐ 4.1k on Github

class GraphqlControll < ApplicationController!::Base def execute query = params[:query] context
= {current_user: get_user_from_api_token} result = AppSchema.execute(query, context: context) render json: result end end GraphqlControll#execute * context - state passed through the entire request

AppSchema#execute(q, p) GraphQL Internals Types-- Mutations-- POST /graphql TagType UserType

class UserType < BaseType field :profile, ProfileType def profile user.profile
end end UserType !-> ProﬁleType class ProfileType < BaseType field :full_name !!... end

class UserType < BaseType field :profile, ProfileType def profile raise
NotAuthorized unless context[:current_user]&.is_a?(User) user.profile end end UserType !-> ProﬁleType

class UserType < BaseType field :profile, ProfileType def profile raise
NotAuthorized unless context[:current_user]&.is_a?(User) user.profile end end UserType !-> ProﬁleType Maintainability

We Need Some Magic!

class UserType < BaseType field :profile, ProfileType def profile user.profile
end def visible?(context) raise NotAuthorized unless context[:current_user]&.is_a?(User) end end Visibility * visibility - special graphql-ruby feature

module Extensions module Visibility def visible?(context) return context[:current_user]&.is_a?(User) super end
end end BaseType.prepend(Extensions!::Visibility) Visibility Extension

module Extensions module Visibility def visible?(context) return context[:current_user]&.is_a?(User) super end
end end BaseType.prepend(Extensions!::Visibility) Visibility Extension Global

Visibility Extension module Extensions module Visibility def initialize(*args, login_required: false,
!**kwargs, &block) super(*args, !**kwargs, &block) @login_required = login_required end def visible?(context) return context[:current_user]&.is_a?(User) if @login_required super end end end

class UserType < BaseType field :posts, PostType.connection_type with_options login_required: true
do field :profile, ProfileType end end Visibility Extension #

CommentType Why Is Visibility Better Then Other Ways?

Why Is Visibility Better? CommentTyp # GraphQL query { !__schema
{ types { name } } } GraphQL Introspection

AppSchema#execute Types-- Mutations-- POST /graphql TagType UserType PostType ImageType ProﬁleType
CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController Hide Parts of Your Schema

Authorization

Authorization CAN this HOMER HAVE A BEER?

class UserType < BaseType field :posts, PostType.connection_type with_options login_required: true,
admin: true do field :profile, ProfileType end end And Again Visibility?

Authorization is Flexible (current_user has role) !|| (current_user has permission)
!|| (business rule) !|| !!...

class UserType < BaseType def self.authorized?(object, context) (current_user has role)
!|| (current_user has permission) !|| (business rule) !|| end end GraphQL Authorization * authorized? - graphql-ruby feature

Authorization Auth Library API Abilities Layer Helpers (e.g. for templates)
... (e.g. cancan or pundit)

Authorization Auth Library API Abilities Layer Helpers (e.g. for templates)
... (e.g. cancan or pundit) GraphQL RESTfull ? How to use Library ?

Ability For Each Action UsersController PostsController POST /users ImagesController ...
GET /posts/:id PUT /posts/:id ... GET /images POST /images ... *ACCESS CONTROL  LAYER GET /users can? :read, Image can? :create, Image can? :read, @post can? :update, @post !!...

Ability For Each Action UsersController PostsController POST /users ImagesController ...
GET /posts/:id PUT /posts/:id ... GET /images POST /images ... *ACCESS CONTROL  LAYER GET /users can? :read, Image can? :create, Image can? :read, @post can? :update, @post !!... CONTROLLER RESOURCE

CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController Ability For Each Node

CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController Ability For Each Node author (String) body (String)

1+ Endpoints for Sets of Fields PostsController GET /posts/:id PUT
/posts/:id ... *ACCESS CONTROL  LAYER Admin::PostsController GET /admin/posts/:id PUT /admin/posts/:id ... Post id title body published_at

Can We (re)Use Existing Abilities Layer?

Yes, but ... • How to pass the current_user? •
How to handle unauthorized error? • How to ensure authorization happens? • Hot to get rid of boilerplate? ... class UserType < BaseType field :profile, ProfileType def profile profile = user.profile can :read?, profile profile end end

class UserType < BaseType field :profile, ProfileType def profile profile
= user.profile can :read?, profile profile end end Yes, but ... • How to pass the current_user? • How to handle unauthorized error? • How to ensure authorization happens? • Hot to get rid of boilerplate? ... Library Helpers

GraphQL Pro

Who Has Heard about gem "action_policy"?

gem "action_policy" The Authorization Framework

gem "action_policy" + GraphQL !== gem "action_policy-graphql"

class UserType < BaseType field :profile, ProfileType, authorize: true end
class ProfilePolicy < ApplicationPolicy def show? current_user.id !== record.id end end As Easy as Possible

# in your schema file rescue_from(ActionPolicy!::Unauthorized) do |exp| raise GraphQL!::ExecutionError.new(
exp.result.message, extensions: { code: :unauthorized, fullMessages: exp.result.reasons.full_messages, details: exp.result.reasons.details } ) end Handling Exceptions

# All Docs GraphQL Features

CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController Scoping Data admin? manager? owner? guest?

class UserType < BaseType field :posts, PostType.connection_type, authorized_scope: true end
class PostPolicy < ApplicationPolicy # rel !== user.posts relation_scope do |rel| next rel.with_deleted if current_user.admin? next rel if user !== current_user rel.where(published: true) end end Scoping Data

UI/UX CAN HOMER PRESS THE BUTTON?

Where is the best place for UX element display logic?
On Backend On Frontend On Both sides UI/UX 1. 2. 3.

On Backend On Frontend On Both sides UI/UX Expose Where
is the best place for UX element display logic?

class PostType < BaseType expose_authorization_rules :edit?, :destroy? end UI/UX

UI/UX { post(id: $id) { canEdit { value # bool
message # top-level decline message reasons { # detailed information details fullMessage } } !!... }

Hot Abilities

CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController Hot Abilities can :edit?

class UserType < BaseType field :profile, ProfileType, authorize: true end
class ProfilePolicy < ApplicationPolicy cache :show? def show? # heavy calculation end end Let's Cache it!

Why We Are Talking Only About Reading Data?

AppSchema#execute GraphQL Internals Types-- Mutations-- POST /graphql TagType UserType PostType
ImageType ProﬁleType CommentType CreatePostMutation AddCommentMutation UpdateProﬁleMutation GraphqlController

class CreatePostMutation < BaseMutation !!... def resolve(post:, *attrs) authorize! post,
to: :create? # business logic here end end Mutations !!<=> Service Objects

class CreatePostMutation < BaseMutation !!... def resolve(post:, *attrs) authorize! post,
to: :create? # business logic here end end Mutations !!<=> Service Objects # after_action :verify_authorized How to ensure policies are used?

Ensuring Policies are Used class BaseMutation < GraphQL!::Schema!::RelayClassicMutation after_resolve do
raise "Unauthorized mutation" unless @authorization_performed end def authorize!(*) @authorization_performed = true super end def skip_authorization! @authorization_performed = true end end *Full gist: https://bit.ly/2UYZpSX

Testing

Only Integration Tests describe PostType do let(:query) do !<<~GRAPHQL query($id:
ID!){ node(id: $id) { !!... } } GRAPHQL end let(:context) { current_user: create(:user) } it "checks execution" do result = AppSchema.execute(query, context: context, !!...) expect(result["data"]["node"][!!...]).to eq(!!...) end end

Auth Tests describe PostType do describe "#somefield" do context "when
user is admin" do let(:current_user) { create(:admin) } # it !!... end context "when user is owner" do let(:current_user) { create(:user, post: post) } # it !!... end context "when user is guest" do let(:current_user) { nil } # it !!... end end end

Bad Auth Tests Testing is not what they should Slow
Complex describe PostType do describe "#somefield" do context "when user is admin" do let(:current_user) { create(:admin) } # it !!... end context "when user is owner" do let(:current_user) { create(:user, post: post) } # it !!... end context "when user is guest" do let(:current_user) { nil } # it !!... end end end

Good Auth Tests describe PostType do let(:post) { create(:post) }
subject { # call AppSchema.execute(id: post.id) here } describe "#somefield" do it "is authorized" do expect { subject }.to be_authorized_to(:show?, post) .with(PostPolicy) end end end

Conclusion

Conclusion Shared Auth* Libraries Features Features RESTful GraphQL

Conclusion Shared Auth* Libraries Features Features RESTful GraphQL / /
/ / / / /

@ssnickolay Nikolay Sverchkov @ssnickolay THANK YOU! @evilmartians http://evl.ms/blog http://evl.ms/telegram

Authorization in the GraphQL era

Authorization in the GraphQL era

More Decks by Nikolay Sverchkov

Other Decks in Programming

Featured

Transcript