GraphQL 在 JWT 字段上的身份验证问题
GraqhQL problem with auth on fields with JWT
所以我将 graphql 作为后端,将 React / Apollo 作为前端。
我已经实现了我的 JWT 令牌验证,它工作正常。
除此之外,我还有我的中间件,其中提供了 HttpContext 并且用户正确加载了所有声明:
namespace xxx.Web.GQL.Middleware
{
public class GraphQLMiddleware
{
private readonly RequestDelegate _next;
private readonly IDocumentWriter _writer;
private readonly IDocumentExecuter _executor;
private readonly ISchema _schema;
public GraphQLMiddleware(RequestDelegate next, IDocumentWriter writer, IDocumentExecuter executor, ISchema schema)
{
_next = next;
_writer = writer;
_executor = executor;
_schema = schema;
}
public async Task InvokeAsync(HttpContext httpContext)
{
if (httpContext.Request.Path.StartsWithSegments("/graphql") && string.Equals(httpContext.Request.Method, "POST", StringComparison.OrdinalIgnoreCase))
{
string body;
using (var streamReader = new StreamReader(httpContext.Request.Body))
{
body = await streamReader.ReadToEndAsync();
var request = JsonConvert.DeserializeObject<GraphQLQuery>(body);
var result = await _executor.ExecuteAsync(doc =>
{
doc.Schema = _schema;
doc.Query = request.Query;
doc.Inputs = request.Variables.ToInputs();
doc.ExposeExceptions = true;
doc.UserContext = httpContext.User;
}).ConfigureAwait(false);
var json = _writer.Write(result);
await httpContext.Response.WriteAsync(json);
}
}
else
{
await _next(httpContext);
}
}
}
}
到这里为止一切正常。
可悲的是,我正在为进一步的努力而苦苦挣扎。我添加了 GraphQL.Authorization Nuget,但所有给定的信息都不足以让我用它构建一些工作代码。
我能做的当然是访问查询解析器中的 userContext 并检查它 "by hand" 但我尽量避免它 ;)
Field<StringGraphType>(
name: "hallo",
resolve: c =>
{
var userPrinc = (ClaimsPrincipal)c.UserContext;
var allowed = userPrinc.Claims.Any(x => x.Type == "Role" && x.Value == "Admin" || x.Value == "Mod");
if (!allowed)
{
throw new Exception("TODO: Make this a 401 FORBIDDEN");
}
return "World";
}
所以我想要的是:
检查具有一个或多个角色的给定声明的字段级声明(用于查询或更改)。
第一个需要定义策略。在 ConfigureServices 方法中执行此操作。例如:
services.AddGraphQLAuth(_ =>
{
_.AddPolicy("name-of-policy", p => p.RequireClaim("role", "admin"));
});
并确保使用 AddUserContextBuilder 方法添加用户上下文,例如:
services.AddGraphQL(options =>
{
options.ExposeExceptions = true;
}).AddUserContextBuilder(context => new GraphQLUserContext { User = context.User });
最后,您需要在字段中使用属于 GraphQL.Authorization 的 AuthorizeWith 扩展方法。例如:
Field<StringGraphType>( /* snip */ )
.AuthorizeWith("name-of-policy");
看看这里的例子:https://github.com/graphql-dotnet/authorization/tree/master/src/Harness
所以我将 graphql 作为后端,将 React / Apollo 作为前端。 我已经实现了我的 JWT 令牌验证,它工作正常。
除此之外,我还有我的中间件,其中提供了 HttpContext 并且用户正确加载了所有声明:
namespace xxx.Web.GQL.Middleware
{
public class GraphQLMiddleware
{
private readonly RequestDelegate _next;
private readonly IDocumentWriter _writer;
private readonly IDocumentExecuter _executor;
private readonly ISchema _schema;
public GraphQLMiddleware(RequestDelegate next, IDocumentWriter writer, IDocumentExecuter executor, ISchema schema)
{
_next = next;
_writer = writer;
_executor = executor;
_schema = schema;
}
public async Task InvokeAsync(HttpContext httpContext)
{
if (httpContext.Request.Path.StartsWithSegments("/graphql") && string.Equals(httpContext.Request.Method, "POST", StringComparison.OrdinalIgnoreCase))
{
string body;
using (var streamReader = new StreamReader(httpContext.Request.Body))
{
body = await streamReader.ReadToEndAsync();
var request = JsonConvert.DeserializeObject<GraphQLQuery>(body);
var result = await _executor.ExecuteAsync(doc =>
{
doc.Schema = _schema;
doc.Query = request.Query;
doc.Inputs = request.Variables.ToInputs();
doc.ExposeExceptions = true;
doc.UserContext = httpContext.User;
}).ConfigureAwait(false);
var json = _writer.Write(result);
await httpContext.Response.WriteAsync(json);
}
}
else
{
await _next(httpContext);
}
}
}
}
到这里为止一切正常。
可悲的是,我正在为进一步的努力而苦苦挣扎。我添加了 GraphQL.Authorization Nuget,但所有给定的信息都不足以让我用它构建一些工作代码。
我能做的当然是访问查询解析器中的 userContext 并检查它 "by hand" 但我尽量避免它 ;)
Field<StringGraphType>(
name: "hallo",
resolve: c =>
{
var userPrinc = (ClaimsPrincipal)c.UserContext;
var allowed = userPrinc.Claims.Any(x => x.Type == "Role" && x.Value == "Admin" || x.Value == "Mod");
if (!allowed)
{
throw new Exception("TODO: Make this a 401 FORBIDDEN");
}
return "World";
}
所以我想要的是: 检查具有一个或多个角色的给定声明的字段级声明(用于查询或更改)。
第一个需要定义策略。在 ConfigureServices 方法中执行此操作。例如:
services.AddGraphQLAuth(_ =>
{
_.AddPolicy("name-of-policy", p => p.RequireClaim("role", "admin"));
});
并确保使用 AddUserContextBuilder 方法添加用户上下文,例如:
services.AddGraphQL(options =>
{
options.ExposeExceptions = true;
}).AddUserContextBuilder(context => new GraphQLUserContext { User = context.User });
最后,您需要在字段中使用属于 GraphQL.Authorization 的 AuthorizeWith 扩展方法。例如:
Field<StringGraphType>( /* snip */ )
.AuthorizeWith("name-of-policy");
看看这里的例子:https://github.com/graphql-dotnet/authorization/tree/master/src/Harness