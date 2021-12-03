Help Wanted ⚠️

If you are a Typescript expert, I could use a hand on a lingering typing issue when a shield parameter is added to an objectType. Please see the related issue for details. Thanks!

Overview

Nexus Shield is a nexus plugin that helps you create an authorization layer for your application. It is a replacement for the provided authorization plugin. It is heavily inspired by Graphql Shield and reuses most of it's familiar ruling system. It takes full advantage of the type safety provided by nexus.

Install

npm install --save nexus-shield OR yarn add nexus-shield

Usage

Nexus configuration

The plugin first needs to be installed in nexus. This will add the new shield parameter. The plugin will work without any provided configuration, but it is recommended to provide one that is relevant to your application. The available parameters are:

defaultError : The error that is thrown if the access is denied. See the errors section.

: The error that is thrown if the access is denied. See the errors section. defaultRule : Rule that is used if none is specified for a field.

: Rule that is used if none is specified for a field. hashFunction : Function used to hash the input to provide caching keys.

For example, using an Apollo server:

import { nexusShield, allow } from 'nexus-shield' ; import { ForbiddenError } from 'apollo-server' ; const schema = makeSchema({ plugins: [ nexusShield({ defaultError: new ForbiddenError( 'Not allowed' ), defaultRule: allow, }), ], });

Styles

Two interfaces styles are provided for convenience: Graphql-Shield and Nexus .

rule()( ( root, args, ctx ) => { return !!ctx.user; });

Nexus

ruleType({ resolve: ( root, args, ctx ) => { return !!ctx.user; }, });

Error

A rule needs to return a boolean , a Promise<boolean> or throw an Error .

, a or throw an . Contrary to Graphql-shield, this plugin will NOT catch the errors you throw and will just pass them down to the next plugins and eventually to the server

catch the errors you throw and will just pass them down to the next plugins and eventually to the server If false is returned, the configured defaultError will be thrown by the plugin.

import { AuthenticationError } from 'apollo-server' ; const isAuthenticated = ruleType({ resolve: ( root, args, ctx ) => { const allowed = !!ctx.user; if (!allowed) throw new AuthenticationError( 'Bearer token required' ); return allowed; }, });

Operators

Rules can be combined in a very flexible manner. The plugin provides the following operators:

and : Returns true if all rules return true

: Returns if rules return or : Returns true if one rule returns true

: Returns if rule returns not : Inverts the result of a rule

: Inverts the result of a rule chain : Same as and , but rules are executed in order

: Same as , but rules are executed in order race : Same as or , but rules are executed in order

: Same as , but rules are executed in order deny : Returns false

: Returns allow : Returns true

Simple example:

import { chain, not, ruleType } from 'nexus-shield' ; const hasScope = ( scope: string ) => { return ruleType({ resolve: ( root, args, ctx ) => { return ctx.user.permissions.includes(scope); }, }); }; const backlist = ruleType({ resolve: ( root, args, ctx ) => { return ctx.user.token === 'some-token' ; }, }); const viewerIsAuthorized = chain( isAuthenticated, not(backlist), hasScope( 'products:read' ) );

Shield Parameter

To use a rule, it must be assigned to the shield parameter of a field:

export const Product = objectType({ name: 'Product' , definition(t) { t.id( 'id' ); t.string( 'prop' , { shield: ruleType({ resolve: ( root, args, ctx ) => { return !!ctx.user; }, }), }); }, });

Type safety

This plugin will try its best to provide typing to the rules.

It is preferable to define rules directly in the definition to have access to the full typing of root and args .

to define rules directly in the to have access to the full typing of and . The ctx is always typed if it was properly configured in nexus makeSchema .

is always typed if it was properly configured in nexus . If creating generic or partial rules, use the appropriate helpers (see below).

export type Context = { user?: { id: string }; }; export const Product = objectType({ name: 'Product' , definition(t) { t.id( 'id' ); t.string( 'ownerId' ); t.string( 'prop' , { args: { filter: stringArg({ nullable: false }), }, shield: ruleType({ resolve: ( root, args, ctx ) => { return true ; }, }), }); }, });

Generic rules

Generic rules are rules that do not depend on the type of the root or args .

or . The wrapper generic is provided for this purpose. It will wrap your rule in a generic function.

const isAuthenticated = generic( ruleType({ resolve: ( root, args, ctx ) => { return !!ctx.user; }, }) ); t.string( 'prop' , { shield: isAuthenticated(), });

Partial rules

Partial rules are rules that depend only on the type of the root .

. The wrapper partial is provided for this purpose. It will wrap your rule in a generic function.

const viewerIsOwner = partial( ruleType({ type : 'Product' resolve: ( root, args, ctx ) => { return root.ownerId === ctx.user.id; }, }) ); t.string( 'prop' , { shield: viewerIsOwner(), });

Combining rules

If you mix and match generic rules with partial rules, you will need to specify the type in the parent helper.

const viewerIsAuthorized = partial< 'Product' >( chain(isAuthenticated(), viewerIsOwner()) );

However, if you specify it directly in the shield field, there is not need for an helper thus no need for a parameter.

t.string( 'prop' , { shield: chain(isAuthenticated(), viewerIsOwner()), });

Caching

The result of a rule can be cached to maximize performances. This is important when using generic or partial rules that require access to external data.

The caching is always scoped to the request

The plugin offers 3 levels of caching:

NO_CACHE : No caching is done (default)

: No caching is done (default) CONTEXTUAL : Use when the rule only depends on the ctx

: Use when the rule only depends on the STRICT : Use when the rule depends on the root or args

Usage:

rule({ cache: ShieldCache.STRICT })( ( root, args, ctx ) => { return true ; }); ruleType({ cache: ShieldCache.STRICT, resolve: ( root, args, ctx ) => { return !!ctx.user; }, });

Known issues / limitations