An Ariadne extension for authorization, allowing global permissions for all resolvers and fine-grained control over required permissions for specific resolvers in GraphQL APIs.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for d0cza from gravatar.com d0cza Avatar for karoljago from gravatar.com karoljago Avatar for mirumee from gravatar.com mirumee

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: BSD-3-Clause
    SPDX License Expression
  • Author: Mirumee Labs
  • Tags ariadne , ariadne-extension , authorization , permissions
  • Requires: Python >=3.9
  • Provides-Extra: dev , types
Classifiers
Report project as malware

Project description

How to use:

pip install ariadne-auth

Set your Authorization Extension with global permissions

from graphql import GraphQLResolveInfo
from ariadne_auth.authz import AuthorizationExtension
from ariadne_auth.types import HasPermissions


# Define a function that returns the permission object
def get_permission_obj(info: GraphQLResolveInfo) -> HasPermissions:
    return info.context["my_permission_obj"]

# it can be also an async function
async def get_permission_obj_async(info: GraphQLResolveInfo) -> HasPermissions:
    return info.context["my_permission_obj"]


# Instantiate the AuthorizationExtension
authz = AuthorizationExtension(permissions_object_provider_fn=get_permission_obj)

# Set list of permissions required for all resolvers 
authz.set_required_global_permissions(["user:logged_in"])

Configure resolvers

query = QueryType()
ship = ObjectType("Ship")
faction = ObjectType("Faction")

# Set additional required permissions for specific resolvers
@query.field("rebels")
@authz.require_permissions(permissions=["read:rebels"])
async def resolve_rebels(*_):
    return FACTIONS[0]


@query.field("empire")
@authz.require_permissions(permissions=["read:empire"], ignore_global_permissions=False)
async def resolve_empire(*_):
    return FACTIONS[1]



# Disable global permissions for specific resolver
@query.field("ships")
@authz.require_permissions(permissions=[], ignore_global_permissions=True)
async def resolve_ships(obj, *_):
    return SHIPS

# Note the global permission is set on default_field_resolver it requires to disable permissions explicity
@ship.field("name")
@authz.require_permissions(permissions=[], ignore_global_permissions=True)
async def resolve_ship_name(obj, *_):
    return obj["name"]

If needed you may also overwrite the function to get the permission object

def get_ship_permissions(info: GraphQLResolveInfo) -> HasPermissions:
    return info.context["my_ship_permission_obj"]

@ship.field("name")
@authz.require_permissions(
    permissions=[],
    ignore_global_permissions=True,
    permissions_object_provider_fn=get_ship_permissions
)
async def resolve_ship_name(obj, *_):
    return obj["name"]

Add your extension to Ariadne GraphQL instance

app = GraphQL(
    schema,
    http_handler=GraphQLHTTPHandler(extensions=[authz]),  # add the authz extension
)

You may also pass authz instance into info.context to use it directly

use _auth.assert_permissions or await _auth.assert_permissions_async to check permissions in your resovlers

# Depends on the faction, additional permissions are required
@faction.field("ships")
async def resolve_faction_ships(faction_obj, info: GraphQLResolveInfo, *_):
    _auth = info.context["auth"]
    if (
        faction_obj["name"] == "Alliance to Restore the Republic"
    ):  # Rebels faction requires additional perm to read ships
        _auth.assert_permissions(_auth.permissions_object_provider_fn(info), ["read:ships"])

    return [_ship for _ship in SHIPS if _ship["factionId"] == faction_obj["id"]]

def get_context_value(request, data):
    return {
        **authz.generate_authz_context(request),
    }


app = GraphQL(
    schema,
    context_value=get_context_value,
    http_handler=GraphQLHTTPHandler(extensions=[authz])
)

Run test app

The repository contains a test application that demonstrates how to use the library

To run test application use: hatch run ariadne_auth

Note that user_id is hardcoded in app.py:104

Example request

for user with permissions

    permissions=[
        "user:logged_in",
        "read:empire",
        "read:rebels",
    ],  # can't read rebels ships

query {
  empire{
    id
    name
    ships {
      id
      name
    }
  }
  rebels{
    id
    name
    ships {
      name
    }
  }
  ships {
    name
  }
}

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for d0cza from gravatar.com d0cza Avatar for karoljago from gravatar.com karoljago Avatar for mirumee from gravatar.com mirumee

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: BSD-3-Clause
    SPDX License Expression
  • Author: Mirumee Labs
  • Tags ariadne , ariadne-extension , authorization , permissions
  • Requires: Python >=3.9
  • Provides-Extra: dev , types
Classifiers

Release history Release notifications | RSS feed

0.1.1

0.1.0

0.0.1.dev5 pre-release

0.0.1.dev4 pre-release

This version

0.0.1.dev3 pre-release

0.0.1.dev2 pre-release

0.0.1.dev1 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ariadne_auth-0.0.1.dev3.tar.gz (10.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ariadne_auth-0.0.1.dev3-py3-none-any.whl (6.2 kB view details)

Uploaded Python 3

File details

Details for the file ariadne_auth-0.0.1.dev3.tar.gz.

File metadata

  • Download URL: ariadne_auth-0.0.1.dev3.tar.gz
  • Upload date:
  • Size: 10.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.8

File hashes

Hashes for ariadne_auth-0.0.1.dev3.tar.gz
Algorithm Hash digest
SHA256 455ad03385a240ec037056b388f705bf24ad20227d68e3e9a74f07ec3b297f6d
MD5 0e970bccbb10709ac53b88b0be7bf8e5
BLAKE2b-256 f7e0684af61ba6151b693d7d134f154b1a070213da40411c04a31ed983394a53

See more details on using hashes here.

Provenance

The following attestation bundles were made for ariadne_auth-0.0.1.dev3.tar.gz:

Publisher: publish.yml on mirumee/ariadne-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ariadne_auth-0.0.1.dev3-py3-none-any.whl.

File metadata

File hashes

Hashes for ariadne_auth-0.0.1.dev3-py3-none-any.whl
Algorithm Hash digest
SHA256 0942b5966fc8a9d305f079b604e17967797cae07b419b0e90860f3864979e1a5
MD5 9b76bfda3dba14037c41a4cf1a3fb037
BLAKE2b-256 9221b63a693c8dd4e3e3c42165f1db66c3e35bd4960dfd05671cd34cc5c7d16e

See more details on using hashes here.

Provenance

The following attestation bundles were made for ariadne_auth-0.0.1.dev3-py3-none-any.whl:

Publisher: publish.yml on mirumee/ariadne-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page