graphql-authz is an casbin authorization middleware for GraphQL
Project description
graphql-authz
GraphQL-Authz is a Python port of GraphQL-Authz, the Casbin authorization middleware implementation in Node.js.
This package should be used with GraphQL-core 3, providing the capability to limit access to each GraphQL resource with the authorization middleware.
Installation
Install the package using pip.
pip install casbin-graphql-authz
Get Started
Limit the access to each GraphQL resource with a policy. For example, given this policy for an RBAC model:
p, authorized_user, hello, query
Authorization can be enforced using:
import casbin
from authz.middleware import enforcer_middleware
from graphql import (
graphql_sync,
GraphQLSchema,
GraphQLObjectType,
GraphQLField,
GraphQLString,
)
schema = GraphQLSchema(
query=GraphQLObjectType(
name="RootQueryType",
fields={
"hello": GraphQLField(
GraphQLString,
resolve=lambda obj, info: "world")
}))
enforcer = casbin.Enforcer("model_file.conf", "policy_file.csv")
authorization_middleware = enforcer_middleware(enforcer)
query = """{ hello }"""
# Authorized user ("authorized_user") has access to data
response = graphql_sync(
schema,
query,
middleware=[authorization_middleware],
context_value={"role": "authorized_user"}
)
assert response.data == {"hello": "world"}
# Unauthorized users ("unauthorized_user") are rejected
response = graphql_sync(
schema,
query,
middleware=[authorization_middleware],
context_value={"role": "unauthorized_user"}
)
assert response.errors[0].message == "unauthorized_user can not query hello"
For more interesting scenarios see tests
folder.
Credits
Implementation was heavily inspired by the Node.js middleware GraphQL-Authz.
Authorization enforcement is based on Casbin authorization library.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for casbin-graphql-authz-1.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3890579bb65822f48134ce06be773af1d3ac4f78cf3f56be947d708288f86be8 |
|
MD5 | bd5273d8f565db7ed14903f371d39c2b |
|
BLAKE2b-256 | f9627252b29f6c495a695923e569d8ec3fbec405f75a268c1d9f0e42d9fae5d7 |
Hashes for casbin_graphql_authz-1.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bb34f8fca0eef000e615c5041c304714f4d0a0ab177c28521f2febd2e7def890 |
|
MD5 | d0bf44c14c079fe8936f6e8c814d724c |
|
BLAKE2b-256 | 41fffea98c7b349e568ff9b3b2bb4d424028af23d1f61aadd7e50be0047e7027 |