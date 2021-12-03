If you are a Typescript expert, I could use a hand on a lingering typing issue when a shield parameter is added to an objectType. Please see the related issue for details. Thanks!
Nexus Shield is a nexus plugin that helps you create an authorization layer for your application. It is a replacement for the provided authorization plugin. It is heavily inspired by Graphql Shield and reuses most of it's familiar ruling system. It takes full advantage of the type safety provided by nexus.
npm install --save nexus-shield
OR
yarn add nexus-shield
The plugin first needs to be installed in nexus. This will add the new
shield parameter. The plugin will work without any provided configuration, but it is recommended to provide one that is relevant to your application. The available parameters are:
defaultError: The error that is thrown if the access is denied. See the errors section.
defaultRule: Rule that is used if none is specified for a field.
hashFunction: Function used to hash the input to provide caching keys.
For example, using an Apollo server:
import { nexusShield, allow } from 'nexus-shield';
import { ForbiddenError } from 'apollo-server';
const schema = makeSchema({
// ... Rest of the configuration
plugins: [
nexusShield({
defaultError: new ForbiddenError('Not allowed'),
defaultRule: allow,
}),
],
});
Two interfaces styles are provided for convenience:
Graphql-Shield and
Nexus.
rule()((root, args, ctx) => {
return !!ctx.user;
});
ruleType({
resolve: (root, args, ctx) => {
return !!ctx.user;
},
});
boolean, a
Promise<boolean> or throw an
Error.
false is returned, the configured
defaultError will be thrown by the plugin.
import { AuthenticationError } from 'apollo-server';
const isAuthenticated = ruleType({
resolve: (root, args, ctx) => {
const allowed = !!ctx.user;
if (!allowed) throw new AuthenticationError('Bearer token required');
return allowed;
},
});
Rules can be combined in a very flexible manner. The plugin provides the following operators:
and: Returns
true if all rules return
true
or: Returns
true if one rule returns
true
not: Inverts the result of a rule
chain: Same as
and, but rules are executed in order
race: Same as
or, but rules are executed in order
deny: Returns
false
allow: Returns
true
Simple example:
import { chain, not, ruleType } from 'nexus-shield';
const hasScope = (scope: string) => {
return ruleType({
resolve: (root, args, ctx) => {
return ctx.user.permissions.includes(scope);
},
});
};
const backlist = ruleType({
resolve: (root, args, ctx) => {
return ctx.user.token === 'some-token';
},
});
const viewerIsAuthorized = chain(
isAuthenticated,
not(backlist),
hasScope('products:read')
);
To use a rule, it must be assigned to the
shield parameter of a field:
export const Product = objectType({
name: 'Product',
definition(t) {
t.id('id');
t.string('prop', {
shield: ruleType({
resolve: (root, args, ctx) => {
return !!ctx.user;
},
}),
});
},
});
This plugin will try its best to provide typing to the rules.
definition to have access to the full typing of
root and
args.
ctx is always typed if it was properly configured in nexus
makeSchema.
export type Context = {
user?: { id: string };
};
export const Product = objectType({
name: 'Product',
definition(t) {
t.id('id');
t.string('ownerId');
t.string('prop', {
args: {
filter: stringArg({ nullable: false }),
},
shield: ruleType({
resolve: (root, args, ctx) => {
// root => { id: string }, args => { filter: string }, ctx => Context
return true;
},
}),
});
},
});
root or
args.
generic is provided for this purpose. It will wrap your rule in a generic function.
const isAuthenticated = generic(
ruleType({
resolve: (root, args, ctx) => {
// Only ctx is typed
return !!ctx.user;
},
})
);
// Usage
t.string('prop', {
shield: isAuthenticated(),
});
root.
partial is provided for this purpose. It will wrap your rule in a generic function.
const viewerIsOwner = partial(
ruleType({
type: 'Product' // It is also possible to use the generic parameter of `partial`
resolve: (root, args, ctx) => {
// Both root and ctx are typed
return root.ownerId === ctx.user.id;
},
})
);
// Usage
t.string('prop', {
shield: viewerIsOwner(),
});
If you mix and match generic rules with partial rules, you will need to specify the type in the parent helper.
const viewerIsAuthorized = partial<'Product'>(
chain(isAuthenticated(), viewerIsOwner())
);
However, if you specify it directly in the
shield field, there is not need for an helper thus no need for a parameter.
t.string('prop', {
shield: chain(isAuthenticated(), viewerIsOwner()),
});
The plugin offers 3 levels of caching:
NO_CACHE: No caching is done (default)
CONTEXTUAL: Use when the rule only depends on the
ctx
STRICT: Use when the rule depends on the
root or
args
Usage:
rule({ cache: ShieldCache.STRICT })((root, args, ctx) => {
return true;
});
ruleType({
cache: ShieldCache.STRICT,
resolve: (root, args, ctx) => {
return !!ctx.user;
},
});
Currently the typing of the
shield parameter on
objectType doesn't work. Tracked by issue: https://github.com/Sytten/nexus-shield/issues/50
It is not possible to pass directly an
objectType to the parameter
type of a
ruleType. Tracked by issue: https://github.com/graphql-nexus/schema/issues/451
The helpers are necessary to provide strong typing and avoid the propagation of
any. See this StackOverflow issue for more on the subject.