youshido-php / GraphQLBundle

Pure PHP implementation of GraphQL Server – Symfony Bundle
MIT License
284 stars 44 forks source link

How to implement security #49

Open blade503 opened 7 years ago

blade503 commented 7 years ago

I'm trying to setup the security for the bundle. But i'm a bit confuse cause i don't succeed to find examples of use and the docs is not complete at all. I saw they were black/white List and Voter. But how can I use it ?

For example if I would like to handle access control on field of a type. for example A is a user and B is an admin. A can't access a certain field but B can cause he is admin ? I don't know if this is even possible at the moment with the bundle.

And also does the bundle handle field deprecation in the type ?

Thanks for your answers !

eskrano commented 7 years ago

@blade503 http://symfony.com/doc/current/security.html

blade503 commented 7 years ago

@eskrano The link don't mention voter, or even how to handle it with this bundle. So thanks for your attempt but I know how to handle security on symfony but the behavior I want is not in the basic of symfony, and i got no doc from the doc of the Bundle

geotry commented 7 years ago

Personally I use graphql types to handle security. For instance, you can create a type PublicUser with public data and a type FullUser with all data.

This way your field can return a union of users (either PublicUser or FullUser) depending on your logic. So if you are an admin, you will see each user as a FullUser whereas regular users will see only PublicUser. You can use interfaces to regroup common fields and handle both users as one in your query.

You don't even have to worry about returning too much data on your resolvers since the graphql processor will filter the data automatically for you. All you have to do is to return the correct type.

blade503 commented 7 years ago

Well it looks very interesting to me. I started to do the verification on the type. But the type don't have access to the symfony container to get the authorization checker ? How do you check in the type that the user has a ROLE_ADMIN ?

geotry commented 7 years ago

Actually the type will be set by your union type, in the method resolveType() which takes as argument the value you will resolved in your field (a user object in your case).

When you resolve your users in your field (here you have access to the container), you can add an information to your user object like selfUserRoles to hold the roles of the current user.

When the method resolveType() of the Union will be called, you can check the value of selfUserRoles to return either PublicUser or FullUser type.

It's just an example of course to show you how you can control the type with unions.