mikecoll
commented
4 years ago Hi @CarsonF I tried to use graphql plugin for authorization like you proposed. I am blocked with plugin solution I tried. Graphql plugin is good way to check all requests by default, but there is possible to get token from cookie or request header only. This can't help us to check if user is logged in. I reviewed other solutions as well. We can use Guards for autorization. It is possible to set global guard by default and create Anonymous guard for custom cases.
CarsonF
michaelmarshall
sethmcknight
sync-by-unito[bot]
Problem
Currently the we only have authentication middleware - the session. This identifies you, but doesn't do any checks (mostly). The session doesn't guarantee that you are logged in.
We then manually opt-in to logic in every method to use an anonymous user for queries and throw exceptions in mutations if you are not logged in. This is forgotten about all the time and is the source of many bugs. https://github.com/SeedCompany/cord-api-v3/blob/a89ae3d389273ee466e35e4a8e8a65ae987006ec/src/components/project/project.service.ts#L421-L424 https://github.com/SeedCompany/cord-api-v3/blob/a89ae3d389273ee466e35e4a8e8a65ae987006ec/src/components/project/project.service.ts#L213-L215
Solution
This logic needs to be put into a middleware so that it's applied automatically. In turn changing this logic from opt-in to opt-out.
Apollo Server has plugins. I'm thinking we could create an authorization one. We could migrate some of the session logic to it. The didResolveOperation lifecycle event looks like a good starting point.
There's only a few place where we don't want this to happen automatically, like the authentication operations. I'm thinking we could have a decorator that notes to skip them, like.
@Anonymous().This is pretty deep stuff, talk to me if you want to work it.
┆Issue is synchronized with this Monday item by Unito