Authorization with GraphQL Shield

In this video we’ll explore some of the logic and input rules that come with GraphQL Shield to protect against unwanted requests.

Notes

const { applyMiddleware } = require("graphql-middleware");
const schemaWithPermissions = applyMiddleware(schema, permissions);
const { shield, rule, and, inputRule, deny } = require("graphql-shield");
const permissions = shield({
Query: {
"*": deny,
users: and(isAuthenticated, isAdmin),
me: isAuthenticated,
},
Mutation: {
createUser: isNotAlreadyRegistered,
},
});
const isAuthenticated = rule()(async (parent, args, ctx, info) => {
return !!ctx.headers["user-id"];
});
const isAdmin = rule()(async (parent, args, ctx, info) => {
const user = users.find(({ id }) => id === ctx.headers["user-id"]);
return user && user.role === "ADMIN";
});
const isNotAlreadyRegistered = inputRule()((yup) =>
yup.object({
input: yup.object({
name: yup.string().required(),
email: yup
.string()
.email()
.required()
.notOneOf(
users.map(({ email }) => email),
"A user exists with this email. Choose another."
),
}),
})
);
Jamie Barton

Published on 16 Aug 2021 by Jamie Barton