Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
async (parent, args, context: Ctx): Promise => {
const userId = await getUserId(context);
return !!userId;
}
),
isAdmin: rule({ cache: 'strict' })(
async (parent, args, context: Ctx): Promise => {
const userId = await getUserId(context);
const user: User = await context.prisma.user({ id: userId });
return user.role === 'ADMIN';
}
),
};
export const permissions = shield({
Query: {
// Global
'*': rules.isAdmin,
profile: rules.isUser,
},
Mutation: {
'*': rules.isAdmin,
login: allow,
signup: allow,
},
});
endpoint: config.PRISMA_ENDPOINT,
secret: config.PRISMA_SECRET,
debug: true,
});
// Set up our graphql server
const server = new GraphQLServer({
typeDefs: './src/schema.graphql',
resolvers,
resolverValidationOptions :{
requireResolversForResolveType: false
},
// Since the shield catches errors and masks as unauthorized,
// commenting this next line out is very helpful for debugging.
// Just make *certain* that it is uncommented before committing/pushing.
middlewares: [shield(Permissions)],
context: req => ({
...req,
// Allow this server's mutations and queries to access prisma server
db
}),
});
// Nginx proxy_passes to this server, and we want to trust its forwarded https headers, so that oauth signatures match
server.express.enable('trust proxy');
// Handle LTI launch requests
// create application/x-www-form-urlencoded parser
const urlencodedParser = bodyParser.urlencoded({ extended: false })
server.post('/lti', urlencodedParser, (req, res) => handleLaunch(config, db, req, res));
server.post('/lti/:action/:objectId', urlencodedParser, (req, res) => handleLaunch(config, db, req, res));
Query: {
hello: (_, { name }) => `Hello ${name || 'World'}`,
secret: (_, { agent }) => `Hello agent ${agent}`,
},
}
const permissions = {
Query: {
hello: () => true,
secret: (_, { code }) => code === 'donttellanyone'
}
}
const server = new GraphQLServer({
typeDefs,
resolvers: shield(resolvers, permissions, { debug: true })
})
server.start(() => console.log('Server is running on http://localhost:4000'))
export const validatePermissions = (
schema: GraphQLSchema,
permissions: IPermission[],
options: IOptions,
) => {
return shield(
extractPermissions(
permissions,
extractOperationsName(schema),
options,
),
{
debug: options.debug,
allowExternalErrors: true,
},
)
}
plugins.byType("graphql-schema").forEach(plugin => {
let { security } = plugin;
if (!security) {
return true;
}
if (typeof security === "function") {
security = security();
}
security.shield &&
middleware.push(
shield(security.shield, {
allowExternalErrors: true
})
);
});
import { mergeResolvers } from '@src/resolvers';
import { shield } from 'graphql-shield';
import { fileLoader } from 'merge-graphql-schemas';
import { join } from 'path';
const permissionsArray = fileLoader(join(__dirname, './**/*.permissions.*')) as any[];
const mergedPermissions = mergeResolvers(permissionsArray);
export const permissions = shield(mergedPermissions);
const rules = {
isAuthenticatedUser: rule()((_, __, ctx: Context) => {
const userId = getUserId(ctx)
return Boolean(userId)
}),
isAdmin: rule()(async (_, __, ctx: Context) => {
const userId = getUserId(ctx)
const user = await ctx.photon.users.findOne({
where: { id: userId },
})
return Boolean(user && user.role == 'ADMIN')
}),
}
export const permissions = shield({
Query: {
me: rules.isAuthenticatedUser,
sources: rules.isAuthenticatedUser,
source: rules.isAuthenticatedUser,
resource: rules.isAuthenticatedUser,
attribute: rules.isAuthenticatedUser,
},
Mutation: {
createSource: rules.isAdmin,
},
})
return Boolean(userId)
}),
isPostOwner: rule()(async (parent, { id }, context) => {
const userId = getUserId(context)
const author = await context.photon.posts
.findOne({
where: {
id,
},
})
.author()
return userId === author.id
}),
}
export const permissions = shield({
Query: {
me: rules.isAuthenticatedUser,
filterPosts: rules.isAuthenticatedUser,
post: rules.isAuthenticatedUser,
},
Mutation: {
createDraft: rules.isAuthenticatedUser,
deletePost: rules.isPostOwner,
publish: rules.isPostOwner,
},
})
introspectSchema,
makeRemoteExecutableSchema,
} = require('graphql-tools')
const {canViewReport} = require('./policies')
const urlMap = {
'reportingService': {
uri: process.env.REPORTING_SERVICE_GRAPHQL_URL,
subUri: process.env.REPORTING_SERVICE_SUBSCRIPTION_URL,
headers: {
"X-Hasura-Access-Key": process.env.HASURA_ACCESS_KEY,
"Content-Type": "application/json",
},
prefix: 'reporting',
permissions: shield({
'query_root': {
v_all_lesson_class: rule()(canViewReport),
},
'subscription_root': {
v_all_lesson_class: rule()(canViewReport),
},
})
},
'userService': {
uri: process.env.USER_SERVICE_GRAPHQL_URL,
subUri: process.env.USER_SERVICE_SUBSCRIPTION_URL,
headers: {
"X-Hasura-Access-Key": process.env.HASURA_ACCESS_KEY,
"Content-Type": "application/json",
},
prefix: null,
createWeb: isAuthenticated,
deleteWeb: and(isAuthenticated, isWebCreator(args => args.input.id)),
setTheme: isAuthenticated,
setPageTitle: and(isAuthenticated, isPageCreator(args => args.input.id)),
setWebName: and(isAuthenticated, isWebCreator(args => args.input.id)),
setPageElement: and(isAuthenticated, isPageCreator(args => args.input.id)),
deletePage: and(isAuthenticated, isPageCreator(args => args.input.id)),
},
Query: {
me: allow,
page: and(isAuthenticated, isPageCreator(args => args.id)),
web: and(isAuthenticated, isWebCreator(args => args.id)),
},
};
const permissions = shield(rules);
export default permissions;