Ability to authorize GraphQL fields

[danharrin]

Hi! Thank you so much for the awesome GraphQL package, we love it.

Currently, we can prevent the user from selecting particular fields in the response of a query using @canRoot(ability: 'viewEmail'), etc. This is great for granular authorization.

However, even if the user cannot select a field due to this authorization, they may infer what it contains, by querying that field they do not have access to. For example, they can check if a user has a particular email address or not, by querying the email field with your package and seeing if there are results or not. This could be classed as a security vulnerability in the GraphQL API itself, especially if the user can query sensitive information they do not have access to.

It would be awesome if we could apply a @canRoot or a similar directive to a query field, which would prevent the user from being able to use that field in the query. For example:

type User @model(class: "user") {
    "Unique primary key."
    id: UUID!

    "Unique email address."
    email: String! @canRoot(ability: "viewEmail")
}

input UserQuery {
    "Unique primary key."
    id: UUID!

    "Users email address."
    email: String! @canRoot(ability: "viewEmail") # New usage of this directive
}

Please let me know if this request is confusing and you need clarification, or if I can help in any way. I have tried creating custom Lighthouse directives, but they don't seem to apply to fields in the query, I think there is some post-processing going on in your package.

Many thanks!
Dan

[LastDragon-ru]

Thanks. The @can* directives cannot be used with INPUT_FIELD_DEFINITION (only with FIELD_DEFINITION) which is why these directives are not copied by default (also, I'm not sure that Lighthouse support them in inputs). Only @rename and operator directives are copying into generated input and there is no setting for this :( (#132). The only way (until #132 (but it will be for v6 only)) is to create subclass for

• LastDragon_ru\LaraASP\GraphQL\SearchBy\Types\Condition\Condition (main)
• LastDragon_ru\LaraASP\GraphQL\SearchBy\Types\Condition\Root (main)
• LastDragon_ru\LaraASP\GraphQL\SortBy\Types\Clause\Clause (main)
• LastDragon_ru\LaraASP\GraphQL\SortBy\Types\Clause\Root (main)
• LastDragon_ru\LaraASP\GraphQL\SearchBy\Types\Condition (v5 only)
• LastDragon_ru\LaraASP\GraphQL\SortBy\Types\Clause (v5 only)

and redefine isFieldDirectiveAllowed() (please note that signature is different in main and v5) and then bind them into Container.

[LastDragon-ru]

The new settings were added in main, will try to port it into v5 tomorrow.

lara-asp/packages/graphql/defaults/config.php

Lines 124 to 139 in 2bdd63d

	/**
	* General settings for all `Builder` directives like `@searchBy`/`@sortBy`/etc.
	*/
	'builder' => [
	/**
	* The list of the directives which should be copied from the original
	* field into the generated `input` field. All other directives except
	* {@see Operator} will be ignored.
	*
	* The `instanceof` operator is used to check.
	*/
	'allowed_directives' => [
	RenameDirective::class,
	],
	],
	];

[danharrin]

Thank you so much for the pointers!

I've managed to implement it. I also had to override call() in the @searchBy and @sortBy directives in order to handle the directive (currently it only handles operators if they exist on each field).

Would you be open to a PR containing a new @canUseInQuery() directive? The built-in @canQuery() doesn't work in this case

[LastDragon-ru]

Would you be open to a PR containing a new @canUseInQuery() directive? The built-in @CanQuery() doesn't work in this case

Probably not, sorry. I think will be better to address it inside Lighthouse itself. Maybe @spawnia have some ideas how to run guard/policy for arguments (I've never tried it...).

[LastDragon-ru]

The v5.6.0 with builder.allowed_directives setting is released 🎉