Prisma Auth0 Directive Permissions Example


#21

Forward to does not allow you to easily add the authorization that you would want. You also have to manually add forwardTo for each resolver. Check out these conversations for the limitations: https://github.com/graphql-binding/graphql-binding/issues/40 and https://github.com/graphql-binding/graphql-binding/issues/37


#22

Right; how about if forwardTo itself became a directive that would invoke the authorization directive then the actual forwardTo function next?


#23

I think you could do that, yes


#24

Big update to GraphQL Tools with some breaking changes! Read it all here.


#25

Here’s a version using TypeScript and Jest for tests: https://github.com/coformatique/prisma-auth0-starter
Thanks a lot @LawJolla for the inspiration :slight_smile:

P.S. @nilan I don’t know how feasible/desirable it would be to create a boilerplate out of this?


#26

Great, can’t wait to check it out!

I need to update the starter to the new schema directives. If anyone has some insights, let me know!


#27

What if using permissions-directives explained above, we have:

type Query {
  posts: [Post!]! 
  users: [User!]! @isAadmin
}

Users can only be seen by admins and of course, a Post has Users and a User has Posts.

type User {
  id: ID! @unique
  name: String! @unique
  posts: [Post!]!
}

type Post {
  id: ID! @unique
  name: String! @unique
  users: [User!]!
}

In the frontend, queries
users { id name } is visible only by admins
posts { id name } is visible by everyone.
Great!

What if we launch:

posts { 
  id 
  name 
  users {
    id
    name
  }
}

Everyone has access to (some) users…?


#28

All users that made posts would come back. If that’s not desirable, there are a couple of options.

First, you can make an intermediate type, e.g.

type Post {
  id: ID! @unique
  name: String! @unique
  authors: [Author!]!
}

type Author {
  ...whatever fields you want to show
}

And the author resolver will pull user data accordingly.

You can checkout Apollo Server’s newer API, Schema Directives that may offer more control. I haven’t gone too deep on it yet, but I know you can attach directives to types, e.g.

type User @isAdmin {
  id: ID!
  name: String!
  posts: [Post!]!
}