Authentication/Authorization for default resolvers about django-graphql-jwt HOT 8 CLOSED

@amreshprasad @alonsoenrique, Heres one way to ensure all fields for a given ObjectType are restricted to authenticated users.

If you take a look at where DjangoObjectType is defined in the source code you see that DjangoObjectType inherits from ObjectType. One of the Meta attributes for ObjectType is default_resolver.

Just so you know, here's how Graphene defines its default resolver:

def attr_resolver(attname, default_value, root, info, **args):
     return getattr(root, attname, default_value)

Reading the decorator docs explains that login_required just checks that the current user is logged in (or authenticated).

Also, important to note: info.context is our Django request object.

Putting that all together we can define a custom resolver and apply it to our DjangoObjectType.

from graphql_jwt.exceptions import PermissionDenied

def auth_resolver(attname, default_value, root, info, **args):
    if info.context.user.is_authenticated:
        return getattr(root, attname, default_value)
    raise PermissionDenied()

class UserNode(DjangoObjectType):
    class Meta:
        model = User
        filter_fields = ['first_name', 'last_name', 'id', 'email']
        interfaces = (Node, )
        default_resolver = auth_resolver

As long as you set up django-graphql-jwt correctly, passing in a valid token will set the user object in info.context, and this method should work.

from django-graphql-jwt.

Hi @amreshprasad ,
Good suggestion but I do not think it corresponds to this package.

django-graphql-jwt provides a user authentication system using JWT but not a permission system for Graphene.

Django comes with one authentication system and should also be able to define permissions on resolvers.

from django-graphql-jwt.

@amreshprasad ask in https://stackoverflow.com/. I'm also interested.

from django-graphql-jwt.

@amreshprasad done: https://stackoverflow.com/questions/52523234/authentication-authorization-for-default-resolvers

from django-graphql-jwt.

@alonsoenrique Thanks.

from django-graphql-jwt.

@mongkok The fact that you added the enhancement label - does it mean that there is no way to achieve this currently other than by explicitly defining the resolvers?

from django-graphql-jwt.

One way to bundle your resolvers is to protect the Type by the parent:

class Container:
  def __init__(self, **kwargs):
    for k, v in kwargs.items():
      setattr(self, k, v)

class BType(graphene.ObjectType)
  a = graphene.String()
  b = graphene.String()

class AType(graphene.ObjectType):
  c = graphene.Field(BType)

  @login_required
  def resolve_c(self, info, **kwargs):
    return Container(a="a", b="b")

class Query(graphene.ObjectType):
  protected = graphene.Field(AType)
  unprotected = graphene.Field(BType)

  def resolve_protected(self, info, **kwargs):
    return Container()

  def resolve_unprotected(self, info, **kwargs):
    return Container(a="a", b="b") 

The idea is, to generate only through parents access to child resolvers

This will raise if the user is not authenticated: {protected { c {a b} }}
But this will work: {unprotected { a b } }

from django-graphql-jwt.

I think this is a good proposal:
graphql-python/graphene#846

I close the issue.

from django-graphql-jwt.