rwinch
commented
2 years ago Can you help me understand what you mean?
Open Diluka opened 3 years ago
rwinch
commented
2 years ago Can you help me understand what you mean?
bclozel
commented
2 years ago Could this be related to supporting ˋ@auth` directives at the schema level as shown in the GraphQL Java docs?
Possibly related to #177
rwinch
commented
2 years ago Thank you @bclozel. That helps quite a bit.
Diluka
commented
2 years ago @rwinch for example
type Book {
name:String
secret:String @Secured # <-- security server directive
}
query {
books{
name
secret # <-- maybe throw forbidden error
}
}
rstoyanchev
commented
2 years ago @Diluka since you bring this up in the context of querydsl, not sure if you've considered it already, but there is an option to apply security to Spring Data repositories, as shown in this example.
Diluka
commented
2 years ago how about background jobs, they are no auth context, can not use those methods with security
rstoyanchev
commented
2 years ago Not sure I follow. What is a background job, in the context of a GraphQL request?
Diluka
commented
2 years ago I mean repo method maybe use in other context
rwinch
commented
2 years ago I've put together a prototype of Spring Security support that demonstrates how this could work https://github.com/rwinch/spring-graphql/tree/gh-116-security-schema-directive. For now the code is entirely placed in the webflux-security sample to make trying the support easier.
I'm still thinking about what all should be supported. Right now either @auth(role : "ADMIN") or @auth(authority : "ROLE_ADMIN") are supported. I think we should look into supporting other concepts like authenticated.
If you have the opportunity, please give this a try and let me know if it is what you had in mind.
when using querydsl to generate queries, those don't have code can't using annotations to secure. and graphql doesn't have routes, it can not be configured by security api.