PoC for authorization with schema directives

This is only a proof of concept how to guard fields with schema directives so it is only applied to UserPrivates.

It can be tested using this GraphQL query:

```
fragment UserFields on User {
  id
  name
  privates {
    sats
  }
}

query users {
  me {
    ...UserFields
  }
  user(id: 624) {
    ...UserFields
  }
}
```

However, I am not sure how schema directives can support conditional validation like we need for fields that are conditionally private.
Conditional validation might need to continue exist as custom code in the resolvers.

Next steps could be to also apply these directives to limit API key usage.

Author: ekzyis

api/directives/auth.js

@@ -0,0 +1,57 @@
+import gql from 'graphql-tag'
+import { defaultFieldResolver } from 'graphql'
+import { getDirective, MapperKind, mapSchema } from '@graphql-tools/utils'
+import { GqlAuthorizationError } from '@/lib/error'
+
+const DIRECTIVE_NAME = 'auth'
+
+export const typeDef = gql`
+    directive @${DIRECTIVE_NAME}(allow: [Role!]!) on FIELD_DEFINITION
+    enum Role {
+        ADMIN
+        OWNER
+        USER
+    }
+`
+
+export function apply (schema) {
+  return mapSchema(schema, {
+    [MapperKind.OBJECT_FIELD]: fieldConfig => {
+      const upperDirective = getDirective(schema, fieldConfig, DIRECTIVE_NAME)?.[0]
+      if (upperDirective) {
+        const { resolve = defaultFieldResolver } = fieldConfig
+        const { allow } = upperDirective
+        return {
+          ...fieldConfig,
+          resolve: async function (parent, args, context, info) {
+            checkFieldPermissions(allow, parent, args, context, info)
+            return await resolve(parent, args, context, info)
+          }
+        }
+      }
+    }
+  })
+}
+
+function checkFieldPermissions (allow, parent, args, { me }, { parentType }) {
+  // TODO: should admin users always have access to all fields?
+
+  if (allow.indexOf('OWNER') >= 0) {
+    if (!me) {
+      throw new GqlAuthorizationError('you must be logged in to access this field')
+    }
+
+    switch (parentType.name) {
+      case 'User':
+        if (me.id !== parent.id) {
+          throw new GqlAuthorizationError('you must be the owner to access this field')
+        }
+        break
+      default:
+        // we could just try the userId column and not care about the type
+        // but we want to be explicit and throw on unexpected types instead
+        // to catch potential issues in our authorization layer fast
+        throw new GqlAuthorizationError('failed to check owner: unknown type')
+    }
+  }
+}

api/directives/index.js

@@ -0,0 +1,14 @@
+import { makeExecutableSchema } from '@graphql-tools/schema'
+
+import * as upper from './upper'
+import * as auth from './auth'
+
+const DIRECTIVES = [upper, auth]
+
+export function makeExecutableSchemaWithDirectives (typeDefs, resolvers) {
+  const schema = makeExecutableSchema({
+    typeDefs: [...typeDefs, ...DIRECTIVES.map(({ typeDef }) => typeDef)],
+    resolvers
+  })
+  return DIRECTIVES.reduce((acc, directive) => directive.apply(acc), schema)
+}

api/directives/upper.js

@@ -0,0 +1,30 @@
+import gql from 'graphql-tag'
+import { defaultFieldResolver } from 'graphql'
+import { getDirective, MapperKind, mapSchema } from '@graphql-tools/utils'
+
+/** Example schema directive that uppercases the value of the field before returning it to the client */
+
+const DIRECTIVE_NAME = 'upper'
+
+export const typeDef = gql`directive @${DIRECTIVE_NAME} on FIELD_DEFINITION`
+
+export function apply (schema) {
+  return mapSchema(schema, {
+    [MapperKind.OBJECT_FIELD]: fieldConfig => {
+      const upperDirective = getDirective(schema, fieldConfig, DIRECTIVE_NAME)?.[0]
+      if (upperDirective) {
+        const { resolve = defaultFieldResolver } = fieldConfig
+        return {
+          ...fieldConfig,
+          resolve: async function (parent, args, context, info) {
+            const result = await resolve(parent, args, context, info)
+            if (typeof result === 'string') {
+              return result.toUpperCase()
+            }
+            return result
+          }
+        }
+      }
+    }
+  })
+}

api/resolvers/user.js

@@ -936,10 +936,6 @@ export default {
 
   User: {
     privates: async (user, args, { me, models }) => {
-      if (!me || me.id !== user.id) {
-        return null
-      }
-
       return user
     },
     optional: user => user,

api/ssrApollo.js

@@ -1,8 +1,6 @@
 import { ApolloClient, InMemoryCache } from '@apollo/client'
 import { SchemaLink } from '@apollo/client/link/schema'
-import { makeExecutableSchema } from '@graphql-tools/schema'
-import resolvers from './resolvers'
-import typeDefs from './typeDefs'
+import { schema } from '@/pages/api/graphql'
 import models from './models'
 import { print } from 'graphql'
 import lnd from './lnd'
@@ -22,10 +20,7 @@ export default async function getSSRApolloClient ({ req, res, me = null }) {
   const client = new ApolloClient({
     ssrMode: true,
     link: new SchemaLink({
-      schema: makeExecutableSchema({
-        typeDefs,
-        resolvers
-      }),
+      schema,
       context: {
         models,
         me: session

api/typeDefs/user.js

@@ -79,7 +79,7 @@ export default gql`
     proportion: Float
 
     optional: UserOptional!
-    privates: UserPrivates
+    privates: UserPrivates @auth(allow: [OWNER])
 
     meMute: Boolean!
     meSubscriptionPosts: Boolean!

pages/api/graphql.js

@@ -1,18 +1,20 @@
 import { ApolloServer } from '@apollo/server'
 import { ApolloServerPluginLandingPageLocalDefault } from '@apollo/server/plugin/landingPage/default'
 import { startServerAndCreateNextHandler } from '@as-integrations/next'
-import resolvers from '@/api/resolvers'
 import models from '@/api/models'
 import lnd from '@/api/lnd'
 import typeDefs from '@/api/typeDefs'
+import { makeExecutableSchemaWithDirectives } from '@/api/directives'
+import resolvers from '@/api/resolvers'
 import { getServerSession } from 'next-auth/next'
 import { getAuthOptions } from './auth/[...nextauth]'
 import search from '@/api/search'
 import { multiAuthMiddleware } from '@/lib/auth'
 
+export const schema = makeExecutableSchemaWithDirectives(typeDefs, resolvers)
+
 const apolloServer = new ApolloServer({
-  typeDefs,
-  resolvers,
+  schema,
   introspection: true,
   allowBatchedHttpRequests: true,
   plugins: [{