I'm using @neo4j/graphql
library to define my graphql API interface. I've got my Todo model and I would like anyone to read it, but I'd like only admin role to be able to edit it. I'm using NestJS as backend. Type definition is as follows:
// type-defs.ts
export typeDefs = gql(`
type Todo {
id: ID! @id
owner: String!
title: String
}
extend type Todo
@auth(
rules: [
{ operations: [READ], allowUnauthenticated: true }
{ operations: [CREATE, DELETE, UPDATE], allow: { roles: ["ADMIN"] } }
]
)
`);
// gql.module.ts
const neoSchema = new Neo4jGraphQL({
typeDefs,
driver,
plugins: {
auth: new Neo4jGraphQLAuthJWKSPlugin({
jwksEndpoint: `https://cognito-idp.${process.env.COGNITO_REGION}.amazonaws.com/${process.env.COGNITO_USER_POOL_ID}`,
}),
},
});
@Module({
providers: [],
imports: [
GraphQLModule.forRootAsync<ApolloDriverConfig>({
driver: ApolloDriver,
useFactory: async () => {
const schema = await neoSchema.getSchema();
await neoSchema.assertIndexesAndConstraints({
options: { create: true },
});
return {
playground: true,
schema,
// // change property `cognito:groups` to `roles` in the jwt.payload passed to Neo4jGraphQLAuthJWKSPlugin
context: authContextFunction,
};
},
}),
],
})
export class GqlModule {}
I'd expect all users to be able to read it, but only logged in and admins to be able to perform any CUD operation.
If I run this without token, I get Unauthenticated
error, which is perfect.
However, when I use token generated by hand, it allows me to create content. Here is the token passed to the auth plugin:
{
sub: '10',
email: 'bob@example.com',
iat: 1562061850,
exp: 1562065450,
roles: [ 'B' ]
}
The issue with your Schema is how it used the property allow that should be used to perform a match with a property in a Node, to perform a check using the JWT field roles, then you should use the property roles.
Using your example:
type Todo {
id: ID! @id
owner: String!
title: String
}
extend type Todo @auth(
rules: [
{ operations: [READ], allowUnauthenticated: true }
{ operations: [CREATE, DELETE, UPDATE], roles: ["ADMIN"] }
]
)