Open Diluka opened 3 years ago
Can you help me understand what you mean?
Could this be related to supporting ˋ@auth` directives at the schema level as shown in the GraphQL Java docs?
Possibly related to #177
Thank you @bclozel. That helps quite a bit.
@rwinch for example
type Book {
name:String
secret:String @Secured # <-- security server directive
}
query {
books{
name
secret # <-- maybe throw forbidden error
}
}
@Diluka since you bring this up in the context of querydsl, not sure if you've considered it already, but there is an option to apply security to Spring Data repositories, as shown in this example.
how about background jobs, they are no auth context, can not use those methods with security
Not sure I follow. What is a background job, in the context of a GraphQL request?
I mean repo method maybe use in other context
I've put together a prototype of Spring Security support that demonstrates how this could work https://github.com/rwinch/spring-graphql/tree/gh-116-security-schema-directive. For now the code is entirely placed in the webflux-security sample to make trying the support easier.
I'm still thinking about what all should be supported. Right now either @auth(role : "ADMIN")
or @auth(authority : "ROLE_ADMIN")
are supported. I think we should look into supporting other concepts like authenticated.
If you have the opportunity, please give this a try and let me know if it is what you had in mind.
when using querydsl to generate queries, those don't have code can't using annotations to secure. and graphql doesn't have routes, it can not be configured by security api.