authonly and public directives - safe coding

[cancan101]

At present, I have an @authonly directive that I put on top level queries and mutations to require the user be authenticated to access those "fields". The issue with this approach is that forgetting to place the @authonly directive on a given field in the schema will implicitly lead to that field to be unsecured. I would like to make this coding "safer", ie to prevent accidentally omitting the @authonly directive on routes that need it.

Two options that come to mind though I am not sure how to implement either:

1. Make @authonly the default on all queries but have a @public directive that turns off the auth check
2. Keep the behavior as is for @authonly and add a no-op directive, @public for which a schema validator statically checks that all fields have one of @authonly or @public, such that the server won't run if any fields are not tagged in one of these.

I am open to either of these approaches or even a third one that I haven't come up with but am not sure how to best implement these approaches idiomatically in Ariadne.

[rafalp]

When auth-only is the default for your API, then your security should be opt-out.

How to do this?

I would write custom protect_schema utility that would take schema from make_executable_schema and would wrap resolvers on Query and Mutation type with requires_only decorator, but only for fields that don't have @public directive, eg:

def protect_schema(schema):
    protect_schema_type_fields(schema.type_map["Query"])
    protect_schema_type_fields(schema.type_map["Mutation"])


def protect_schema_type_fields(type_fields):
    for field_name, field_type in type_fields.items():
        if not field_type.ast_node:
            field_type.resolve = protect_schema_resolver(field_type.resolve or default_resolver)
            continue

        directives = [
            directive.name.value
            for directive in field_type.ast_node.directive
        ]
        
        if "public" not in directives:
            field_type.resolve = protect_schema_resolver(field_type.resolve or default_resolver)


def protect_schema_resolver(resolver):
    @wraps(resolver)
    def protected_resolver(obj, info, **kwargs):
        if not info.context["user"]:
            raise GraphQLError("This field requires authentication.")
        
        return resolver(obj, info, **kwargs)

    return protected_resolver

And then the use would be:

schema = make_executable_schema(...)
protect_schema(schema)

[cancan101]

make sense, thank you for that! When does this occur: not field_type.ast_node, such that the directives aren't checked?

[rafalp]

field_type.ast_node contains GraphQL AST from which this GraphQLField instance was created. But this is only the case when the GraphQL library you are using sets this value.

Ariadne does because we are using GraphQL's built-in "schema from SDL document" feature, but I can't speak for other GraphQL libs and devs doing custom schema manipulation.

[cancan101]

The solution posted isn't quite right. Adding typing for clarity:

def protect_schema(schema: GraphQLSchema):
   ...

def protect_schema_type_fields(type_fields: GraphQLNamedType):
   ...

but then type_fields doesn't have an items. The subclass that actually gets passed in is a GraphQLObjectType. I think you want something like this:

def protect_schema_type_fields(type_fields: GraphQLNamedType):
    if not isinstance(type_fields, GraphQLObjectType):
        raise ValueError("Expected GraphQLObjectType")

    fields: GraphQLFieldMap = type_fields.fields
    for field_name, field_type in fields.items():

though the param names might need updating

[rafalp]

Yeah. I've did that code 100% from memory so ofcourse I've got something wrong here 😅

[cancan101]

Appreciate the response! I just wanted to paste update for anyone else that comes along