Graphqlbundle: Access expresion and validation at query level.

Created on 21 Mar 2017  路  7Comments  路  Source: overblog/GraphQLBundle

| Q | A
| ---------------- | -----
| Bug report? | no
| Feature request? | yes
| BC Break report? | no
| RFC? | yes
| Version/Branch | x.y.z

Setting access expression at query level, and prevent database access if user doesnt have to those queries.

question

All 7 comments

Hi @Lube,
can you give an example to explain the difference between what you asking for and the current access feature please?

@Lube have you tried using the Symfony security layer?

  1. Add a firewall targeting your endpoint

    firewalls:
      graphql:
        pattern: ^/graphql
        stateless: true
        <YOUR_PROVIDER>: <CONFIG>
    
  2. Set an access_control

    access_control:
      - { path: ^/graphql, roles: IS_AUTHENTICATED_FULLY }
    

I don't know if its related, but i have a problem to get user in resolve property.
I'm fully authenticated for rest routes, but when I attempted to access graphql, user is set anonymous.
It's probably a misconfiguration at symfony level, but maybe you have a suggestion?
Thanks

If I try setting access: "@=isAuthenticated()", i got "Access denied to this field." message.

I have only set this in routing:

overblog_graphql_endpoint:
    path: /graphql
    defaults:
        _controller: OverblogGraphQLBundle:Graph:endpoint
        _format: "json"

and in security:

    access_control:
        - { path: ^/graphql,               roles: IS_AUTHENTICATED_ANONYMOUSLY, methods: [POST] }

and finally the firewalls:

    firewalls:
        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        login:
            pattern: ^/auth/form$
            anonymous: true

        token:
            pattern: ^/token$
            security: false

        secured:
            pattern: ^/
            guard:
                authenticators:
                    - acme_superadmin.token_authenticator
                    - acme_app.token_authenticator
                entry_point: acme_app.token_authenticator
            saml:
                username_attribute: '%sso_saml_username_attribute%'
                check_path: /saml/acs
                login_path: /saml/login
                always_use_default_target_path: true
                user_factory: acme_user.user_manipulator
            form_login_ldap:
                login_path: /#/sign-in
                check_path: /auth/login
                service: ldap
                dn_string: '%ldap_binddn%'
                require_previous_session: false
                always_use_default_target_path: true
            form_login:
                login_path: /#/sign-in
                check_path: /auth/login
                require_previous_session: false
                always_use_default_target_path: true
            logout:
                path: /saml/logout
            anonymous: ~
            remember_me:
                secret:   '%secret%'
                lifetime: '%remember_me_lifetime%'

Ok, it seems to be a problem with Apollo Client, not Symfony or this bundle. I will put the solution here as soon as i found to pass cookies. Something related to https://github.com/github/fetch/blob/7f71c9bdccedaf65cf91b450b74065f8bed26d36/README.md#sending-cookies

closing this feel free to reopen if needed...

Was this page helpful?
0 / 5 - 0 ratings