Permission blacklist + field-level auth example

app/controllers/api/base_controller.rb

@@ -25,6 +25,10 @@ def set_submission
       @submission = Submission.find(submission_id)
     end
 
+    def set_current_user_roles
+      current_user_roles
+    end
+
     def require_authentication
       raise ApplicationController::NotAuthorized unless current_app && current_user
     end
@@ -51,5 +55,9 @@ def current_app
     def current_user
       @current_user ||= jwt_payload&.fetch('sub', nil)
     end
+
+    def current_user_roles
+      @current_user_roles ||= jwt_payload&.fetch('roles', [])&.split(',')
+    end
   end
 end

app/controllers/api/graphql_controller.rb

@@ -1,15 +1,15 @@
 module Api
   class GraphqlController < BaseController
-    before_action :require_authentication
-
     def execute
       result = RootSchema.execute(
         params[:query],
         variables: params[:variables],
         context: {
           current_application: current_app,
-          current_user: current_user
-        }
+          current_user: current_user,
+          current_user_roles: current_user_roles
+        },
+        except: Util::PermissionBlacklist
       )
       render json: result, status: 200
     end

app/graph/mutations.rb

@@ -5,6 +5,8 @@ module Mutations
     field :createSubmission, Types::SubmissionType do
       description 'Create a submission'
       argument :submission, Inputs::SubmissionInput::Create
+      permit ['user']
+
       resolve ->(_obj, args, context) {
         Submission.create!(args[:submission].to_h.merge(user_id: context[:current_user]))
       }
@@ -13,6 +15,8 @@ module Mutations
     field :updateSubmission, Types::SubmissionType do
       description 'Create a submission'
       argument :submission, Inputs::SubmissionInput::Update
+      permit ['user']
+
       resolve ->(_obj, args, _context) {
         submission = Submission.find_by(id: args[:submission][:id]) ||
                      raise(GraphQL::ExecutionError, 'Submission Not Found')

app/graph/root_schema.rb

@@ -1,6 +1,8 @@
+GraphQL::Field.accepts_definitions(permit: GraphQL::Define.assign_metadata_key(:permit))
+
 RootSchema = GraphQL::Schema.define do
   query Types::QueryType
   mutation Mutations::Root
-
+  instrument(:field, Util::AuthorizationInstrumentation.new)
   max_depth 5
 end

app/graph/types/query_type.rb

@@ -6,6 +6,7 @@ module Types
       description 'Find Submissions'
       argument :ids, types[types.ID]
       argument :id, types.ID
+      permit ['admin']
 
       resolve ->(_object, args, _context) {
         args[:ids] ? Submission.where(id: args[:ids]) : [Submission.find(args[:id])]

app/graph/util/authorization_instrumentation.rb

@@ -0,0 +1,37 @@
+module Util
+  class AuthorizationInstrumentation
+    def instrument(_type, field)
+      if requires_authorization?(field)
+        old_resolve_proc = field.resolve_proc
+        new_resolve_proc = ->(obj, args, ctx) do
+          if can_access?(field, ctx)
+            resolved = old_resolve_proc.call(obj, args, ctx)
+            resolved
+          else
+            err = GraphQL::ExecutionError.new("Can't access #{field.name}")
+            ctx.add_error(err)
+          end
+        end
+
+        field.redefine do
+          resolve(new_resolve_proc)
+        end
+      else
+        field
+      end
+    end
+
+    def requires_authorization?(field)
+      field.metadata[:permit].present?
+    end
+
+    def can_access?(field, ctx)
+      if field.metadata[:permit]
+        return false unless ctx[:current_user_roles]
+        !(ctx[:current_user_roles] & field.metadata[:permit]).empty?
+      else
+        field
+      end
+    end
+  end
+end

app/graph/util/permission_blacklist.rb

@@ -0,0 +1,7 @@
+module Util
+  class PermissionBlacklist
+    def self.call(schema_member, context)
+      return context[:current_user].blank? if schema_member.name == 'user_id'
+    end
+  end
+end

spec/requests/api/graphql/create_spec.rb

@@ -1,7 +1,7 @@
 require 'rails_helper'
 
 describe 'Create Submission With Graphql' do
-  let(:jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid' }, Convection.config.jwt_secret) }
+  let(:jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid', roles: 'user' }, Convection.config.jwt_secret) }
   let(:headers) { { 'Authorization' => "Bearer #{jwt_token}" } }
 
   let(:create_mutation) do
@@ -31,7 +31,10 @@
       post '/api/graphql', params: {
         query: create_mutation
       }, headers: { 'Authorization' => 'Bearer foo.bar.baz' }
-      expect(response.status).to eq 401
+      expect(response.status).to eq 200
+      body = JSON.parse(response.body)
+      expect(body['data']['createSubmission']).to eq nil
+      expect(body['errors'][0]['message']).to eq "Can't access createSubmission"
     end
 
     it 'rejects when missing artist_id' do

spec/requests/api/graphql/query_spec.rb

@@ -1,8 +1,9 @@
 require 'rails_helper'
 
 describe 'Query Submissions With Graphql' do
-  let(:jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid' }, Convection.config.jwt_secret) }
-  let(:headers) { { 'Authorization' => "Bearer #{jwt_token}" } }
+  let(:admin_jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid', roles: 'admin' }, Convection.config.jwt_secret) }
+  let(:user_jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid', roles: 'user' }, Convection.config.jwt_secret) }
+  let(:headers) { { 'Authorization' => "Bearer #{admin_jwt_token}" } }
   let(:submission) { Fabricate(:submission, artist_id: 'abbas-kiarostami', title: 'rain') }
   let!(:submission2) { Fabricate(:submission, artist_id: 'andy-warhol', title: 'no-rain') }
   let(:asset) { Fabricate(:asset, submission: submission) }
@@ -20,11 +21,40 @@
   end
 
   describe 'POST /graphql' do
-    it 'rejects unauthorized requests' do
+    it 'does not return the user_id if there is no user' do
+      introspection_query = <<-graphql
+        query {
+          __type(name: "Submission") {
+            name
+            fields {
+              name
+            }
+          }
+        }
+      graphql
       post '/api/graphql', params: {
-        query: query_submissions
-      }, headers: { 'Authorization' => 'Bearer foo.bar.baz' }
-      expect(response.status).to eq 401
+        query: introspection_query
+      }
+      expect(JSON.parse(response.body)['data']['__type']['fields'].map { |f| f['name'] }).to_not include('user_id')
+      expect(response.status).to eq 200
+    end
+
+    it 'includes the user_id param if there is a user present' do
+      introspection_query = <<-graphql
+        query {
+          __type(name: "Submission") {
+            name
+            fields {
+              name
+            }
+          }
+        }
+      graphql
+      post '/api/graphql', params: {
+        query: introspection_query
+      }, headers: headers
+      expect(JSON.parse(response.body)['data']['__type']['fields'].map { |f| f['name'] }).to include('user_id')
+      expect(response.status).to eq 200
     end
 
     it 'finds two existing submissions' do
@@ -35,5 +65,15 @@
       body = JSON.parse(response.body)
       expect(body['data']['submission'].count).to eq 2
     end
+
+    it 'throws an error if a user tries to access' do
+      post '/api/graphql', params: {
+        query: query_submissions
+      }, headers: { 'Authorization' => "Bearer #{user_jwt_token}" }
+      expect(response.status).to eq 200
+      body = JSON.parse(response.body)
+      expect(body['data']['submission']).to eq nil
+      expect(body['errors'][0]['message']).to eq "Can't access submission"
+    end
   end
 end

spec/requests/api/graphql/update_spec.rb

@@ -1,7 +1,7 @@
 require 'rails_helper'
 
 describe 'Update Submission With Graphql' do
-  let(:jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid' }, Convection.config.jwt_secret) }
+  let(:jwt_token) { JWT.encode({ aud: 'gravity', sub: 'userid', roles: 'user' }, Convection.config.jwt_secret) }
   let(:headers) { { 'Authorization' => "Bearer #{jwt_token}" } }
   let(:submission) { Fabricate(:submission, artist_id: 'abbas-kiarostami', title: 'rain') }
 
@@ -33,7 +33,10 @@
       post '/api/graphql', params: {
         query: update_mutation
       }, headers: { 'Authorization' => 'Bearer foo.bar.baz' }
-      expect(response.status).to eq 401
+      expect(response.status).to eq 200
+      body = JSON.parse(response.body)
+      expect(body['data']['updateSubmission']).to eq nil
+      expect(body['errors'][0]['message']).to eq "Can't access updateSubmission"
     end
 
     it 'errors for unkown submission id' do