Skip to content

Instantly share code, notes, and snippets.

@eyston

eyston/auth.js

Last active November 5, 2015 04:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save eyston/ace33b385f57aabc7807 to your computer and use it in GitHub Desktop.
Save eyston/ace33b385f57aabc7807 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
auth.js
const hasRole = (role, next) => {
return (obj, args, ctx) => {
if (ctx.rootValue.user.hasRole(role)) {
next(obj, args, ctx);
} else {
return null;
}
}
}
Raw
graphql.js
const { query, variables } = request.params; // from the request
const user = db.getUser(request.session.userId); // from your session -- pretend it has user id or something!
graphql(schema, query, {user}, variables); // shove the user in the root value
Raw
schema.js
const UserType = new GraphQLObjectType({
name: 'User',
fields: {
email: {
type: GraphQLString,
resolve: (user, _, {rootValue}) => {
// only the current user can see their email
// can imagine this checking admin roles and stuff
if (user.id === rootValue.user.id) {
return user.email;
} else {
// maybe you can throw to add an error to the response!
return null;
}
}
},
socialSecurityNumber: {
type: GraphQLString,
resolve: hasRole('admin', user => user.socialSecurityNumber)
}
}
});
@eyston
Copy link
Author

eyston commented Nov 5, 2015

@bostonou I can't stop:

https://www.youtube.com/watch?v=7lm3K8zVOdY

This was a talk from clojure/conj 2014 where a bank actually filters a datomic database to only include attributes a user can see. This means any query can be run safely as the only attribute values which can possibly be returned are authorized.

I have _zero_ idea if this is a good / bad idea, but definitely neato. And cognitect has included them in literature so maybe its a great idea, I dunno!

http://blog.cognitect.com/blog/2015/9/14/nubank

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment