Last active
July 13, 2022 00:50
-
-
Save mbStavola/28c6297abea5a42bd59bf5f00fc7a358 to your computer and use it in GitHub Desktop.
Supergraph AuthZ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Directive which signals that access to a particular field or object is gated behind login | |
| directive @authz_loggedin on OBJECT | FIELD_DEFINITION | |
| # Directive which signals that access to a particular field or object is restricted to either | |
| # the user who owns it or one of our employees | |
| directive @authz_internal_or_user on OBJECT | FIELD_DEFINITION | |
| # Directive which signals that access to a particular field or object requires ownership of the content | |
| directive @authz_owns_content on OBJECT | FIELD_DEFINITION | |
| # Directive which signals that access to a particular field or object is scoped users who belong to | |
| # the enterprise account which owns the resource and also having a certain account role within that | |
| # enterprise account | |
| directive @authz_accountmember(role: [AccountRole] = [ADMIN]) on OBJECT | FIELD_DEFINITION | |
| # Anyone should be able to query for a user | |
| type User @key(fields: "id") { | |
| id: ID! | |
| username: String! | |
| # ... but users can only see their own emails (or one of our admins) | |
| email: String! @authz_internal_or_user | |
| # ... and users can only see their own courses (or one of our admins) | |
| courses: [Course] @authz_internal_or_user | |
| } | |
| # Account details are available to anyone that belongs to this org in any role | |
| type EnterpriseAccount @key(fields: "id") @authz_accountmember(role: [ADMIN, MEMBER, GUEST]) { | |
| id: ID! | |
| name: String! | |
| courses: [Course] | |
| # ... but only non-guest members can see the current project | |
| currentProjectName: String @authz_accountmember(role: [ADMIN, MEMBER]) | |
| # ... and only the account admin should be able to see how much they're currently spending | |
| ytdSpend: Int! @authz_accountmember | |
| } | |
| enum AccountRole { | |
| ADMIN | |
| MEMBER | |
| GUEST | |
| } | |
| # The only people who should see course content are those who have _paid_ for course content | |
| type Course @authz_owns_content { | |
| id: ID! | |
| title: String! | |
| slug: String! | |
| textContent: String! | |
| author: User! | |
| publisher: EnterpriseAccount | |
| } | |
| type Query { | |
| me: User @authz_loggedin | |
| user(username: String!): User | |
| course(slug: String!): Course | |
| account(id: ID): EnterpriseAccount | |
| } | |
| type Mutation { | |
| publishCourse(slug: String!): Boolean! @authz_accountmember(role: [ADMIN, MEMBER]) | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Has directives: | |
| # - @authz_accountmember | |
| mutation PublishCourse($slug: String!) { | |
| # brings into scope @authz_accountmember | |
| publishCourse(slug: $slug) | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Has directives: | |
| # - @authz_internal_or_user | |
| query QuickCourseSummaryForUser($username: String!) { | |
| user(username: $username) { | |
| id | |
| # brings into scope @authz_internal_or_user | |
| # brings into scope @authz_internal_or_user | |
| # has already been seen though, so we're free to ignore it | |
| courses { | |
| id | |
| title | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Has directives: | |
| # - @authz_internal_or_user | |
| # - @authz_accountmember(role: [ADMIN, MEMBER, GUEST]) | |
| # - @authz_accountmember | |
| query FullCourseSummaryReportForUser($username: String!) { | |
| user(username: $username) { | |
| id | |
| # brings into scope @authz_internal_or_user | |
| courses { | |
| id | |
| title | |
| slug | |
| author { | |
| id | |
| username | |
| } | |
| # brings into scope @authz_accountmember(role: [ADMIN, MEMBER, GUEST]) | |
| publisher { | |
| id | |
| name | |
| # Brings into scope @authz_accountmember | |
| # same directive as the previous, however has different arguments so we keep it | |
| ytdSpend | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment