search

neo4j / graphql

A GraphQL to Cypher query execution layer for Neo4j and JavaScript GraphQL implementations.
https://neo4j.com/docs/graphql-manual/current/
Apache License 2.0
511 stars 150 forks source link

Allow for definition of complex objects in JWT definitions #2215

Open johnykifle opened 2 years ago

johnykifle commented 2 years ago

Describe the bug On a multi-tenant app one user can be able to get data from multiple tenants, if they have access to them. [f.eg] having a user who has access to 2 tenants, the jwt looks like .

Type definitions schema.graphql

...
const jwt = {
                        id: 1234,
                        roles: ['manager'],
                        tenants: [
                                { tenant: { id: '1234' } },
                                { tenant: { id: '4325' } }
                              ]
                    }; 

return {req, jwt};

When the JWT has array of object as input to auth directive , the value never get resolved in the schema.

graphql.js

"""
A PriceCard
"""
type PriceCard
    @auth(
        rules: [
            {
                operations: [READ]
                roles: ['manager']
                allow: { OR: "$jwt.tenants" }
            }
        ]
    ) {
    id: ID! @id
    status: Status!
    tenant: Tenant! @relationship(type: "PRICECARD_OWNER", direction: OUT)

}

Error 

stacktrace
: 
["TypeError: value.forEach is not a function",…]
0: "TypeError: value.forEach is not a function"
1: "    at Object.entries.reduce.params (/Users/xxxxxxxxxX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:80:34)"
2:"    at Array.reduce (<anonymous>)"
3: "    at createAuthPredicate (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:75:54)"
4: "    at createSubPredicate (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:232:36)"
5: "    at authRules.reduce.strs (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:310:32)"
6: "    at Array.reduce (<anonymous>)"
7: "    at createAuthAndParams (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/create-auth-and-params.ts:308:37)"
8: "    at translateRead (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/translate/translate-read.ts:122:47)"
9: "    at resolve (/Users/XXXXXXXX/node_modules/@neo4j/graphql/src/schema/resolvers/query/read.ts:31:47)"
10: "    at Object.priceCards (/Users/XXXXXXXX/office/node_modules/@neo4j/graphql/src/schema/resolvers/wrapper.ts:89:16)"

Expected behavior if the value of allow is replaced to hard coded values like f.eg

"""
A PriceCard
"""
type PriceCard
    @auth(
        rules: [
            {
                operations: [READ]
                allow: { OR: [ {tenant:{id: "1234"}}, {tenant: { id: "4325"}} ] }
            }
        ]
    ) {
    id: ID! @id
    status: Status!
    tenant: Tenant! @relationship(type: "PRICECARD_OWNER", direction: OUT)

}

it works fine.

System (please complete the following information):

neo4j-team-graphql commented 2 years ago

Many thanks for raising this bug report @johnykifle. :bug: We will now attempt to reproduce the bug based on the steps you have provided.

Please ensure that you've provided the necessary information for a minimal reproduction, including but not limited to:

If you have a support agreement with Neo4j, please link this GitHub issue to a new or existing Zendesk ticket.

Thanks again! :pray:

darrellwarde commented 1 week ago

If we ever add support for this, should also work for enums as in #5126.