Add authorization

[tobiasdiez]

• https://github.com/maticzav/graphql-shield
• https://jkettmann.com/authorization-with-graphql-and-custom-directives
• https://jkettmann.com/3-ways-for-authorization-with-graphql-and-apollo
• https://www.apollographql.com/docs/apollo-server/security/authentication/

Also add common features like sending registration email etc. Following might be helpful:

• https://github.com/Volst/graphql-authentication

[tobiasdiez]

Options are:

• Authorization in resolver functions, manually calling a helper guard method
• Authorization in service layer, manually calling a helper guard method
• Authorization directives in graphql schema
• Graphql shield: https://the-guild.dev/graphql/shield/docs
• Authorization in resolver function, as typescript decorators, e.g.

  @Before(isAuthorized)
  @After(isOwner)
  function getBlogPost() {...}

  This is similar to the Authorized decoration of type graphql (but more flexible) and in spirit similar to https://github.com/boltsource/apollo-resolvers and https://github.com/lucasconstantino/graphql-resolvers and https://www.graphql-tools.com/docs/resolvers-composition which allow to compose resolvers as well. For rest, this is implemented here: https://tsed.io/docs/authentication.html#usage (see also https://github.com/tsedio/tsed/blob/master/packages/common/src/mvc/decorators/method/useAfter.ts) https://stackoverflow.com/questions/36349158/call-typescript-decorator-method-when-the-underlying-function-is-executed Problem with this approach: resolver functions need to be methods in a class (otherwise we cannot apply decorators). Workaround: https://github.com/microsoft/TypeScript/issues/7342 Implementation detail to ensure type checking: https://stackoverflow.com/questions/59992398/is-there-a-way-to-type-a-typescript-method-decorator-to-restrict-the-type-of-the and https://stackoverflow.com/questions/52961185/typescript-restrict-decorator-via-typedpropertydescriptor-on-decorator-factorie Maybe worthwile to extract this to a new library graphql-compose.

Decision: try the typescript way, and if that doesn't work manually authorize requests in resolver functions (at least for now)

Reason:

• Directives are not flexible enough
• Shield has this additional permissions layer (which is nice) but there is no mechanism that ensures that this layer stays in sync with the schema. I also would like if the authorization requirements stay close to the resolvers.

References:

• https://github.com/dimatill/graphql-shield/blob/bddd7b2ab6089a36638aec9fe39e85533246d6a0/packages/graphql-shield/src/rules.ts
• https://github.com/dimatill/graphql-shield/blob/bddd7b2ab6089a36638aec9fe39e85533246d6a0/packages/graphql-shield/src/generator.ts#L67

[tobiasdiez]

First step toward this: https://github.com/JabRef/JabRefOnline/pull/159