An Ariadne extension for authorization, allowing global permissions for all resolvers and fine-grained control over required permissions for specific resolvers in GraphQL APIs.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for d0cza from gravatar.com d0cza Avatar for karoljago from gravatar.com karoljago Avatar for mirumee from gravatar.com mirumee

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: BSD-3-Clause
    SPDX License Expression
  • Author: Mirumee Labs
  • Tags ariadne , ariadne-extension , authorization , permissions
  • Requires: Python >=3.9
  • Provides-Extra: dev , types
Classifiers
Report project as malware

Project description

How to use:

pip install ariadne-auth

Set your Authorization Extension with global permissions

from graphql import GraphQLResolveInfo
from ariadne_auth.authz import AuthorizationExtension
from ariadne_auth.types import HasPermissions


# Define a function that returns the permission object
def get_permission_obj(info: GraphQLResolveInfo) -> HasPermissions:
    return info.context["my_permission_obj"]

# it can be also an async function
async def get_permission_obj_async(info: GraphQLResolveInfo) -> HasPermissions:
    return info.context["my_permission_obj"]


# Instantiate the AuthorizationExtension
authz = AuthorizationExtension(permissions_object_provider_fn=get_permission_obj)

# Set list of permissions required for all resolvers 
authz.set_required_global_permissions(["user:logged_in"])

Configure resolvers

query = QueryType()
ship = ObjectType("Ship")
faction = ObjectType("Faction")

# Set additional required permissions for specific resolvers
@query.field("rebels")
@authz.require_permissions(permissions=["read:rebels"])
async def resolve_rebels(*_):
    return FACTIONS[0]


@query.field("empire")
@authz.require_permissions(permissions=["read:empire"], ignore_global_permissions=False)
async def resolve_empire(*_):
    return FACTIONS[1]



# Disable global permissions for specific resolver
@query.field("ships")
@authz.require_permissions(permissions=[], ignore_global_permissions=True)
async def resolve_ships(obj, *_):
    return SHIPS

# Note the global permission is set on default_field_resolver it requires to disable permissions explicity
@ship.field("name")
@authz.require_permissions(permissions=[], ignore_global_permissions=True)
async def resolve_ship_name(obj, *_):
    return obj["name"]

If needed you may also overwrite the function to get the permission object

def get_ship_permissions(info: GraphQLResolveInfo) -> HasPermissions:
    return info.context["my_ship_permission_obj"]

@ship.field("name")
@authz.require_permissions(
    permissions=[],
    ignore_global_permissions=True,
    permissions_object_provider_fn=get_ship_permissions
)
async def resolve_ship_name(obj, *_):
    return obj["name"]

Add your extension to Ariadne GraphQL instance

app = GraphQL(
    schema,
    http_handler=GraphQLHTTPHandler(extensions=[authz]),  # add the authz extension
)

You may also pass authz instance into info.context to use it directly

use _auth.assert_permissions or await _auth.assert_permissions_async to check permissions in your resovlers

# Depends on the faction, additional permissions are required
@faction.field("ships")
async def resolve_faction_ships(faction_obj, info: GraphQLResolveInfo, *_):
    _auth = info.context["auth"]
    if (
        faction_obj["name"] == "Alliance to Restore the Republic"
    ):  # Rebels faction requires additional perm to read ships
        _auth.assert_permissions(_auth.permissions_object_provider_fn(info), ["read:ships"])

    return [_ship for _ship in SHIPS if _ship["factionId"] == faction_obj["id"]]

def get_context_value(request, data):
    return {
        **authz.generate_authz_context(request),
    }


app = GraphQL(
    schema,
    context_value=get_context_value,
    http_handler=GraphQLHTTPHandler(extensions=[authz])
)

Run test app

The repository contains a test application that demonstrates how to use the library

To run test application use: hatch run ariadne_auth

Note that user_id is hardcoded in app.py:104

Example request

for user with permissions

    permissions=[
        "user:logged_in",
        "read:empire",
        "read:rebels",
    ],  # can't read rebels ships

query {
  empire{
    id
    name
    ships {
      id
      name
    }
  }
  rebels{
    id
    name
    ships {
      name
    }
  }
  ships {
    name
  }
}

Crafted with ❤️ by Mirumee Software hello@mirumee.com

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for d0cza from gravatar.com d0cza Avatar for karoljago from gravatar.com karoljago Avatar for mirumee from gravatar.com mirumee

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: BSD-3-Clause
    SPDX License Expression
  • Author: Mirumee Labs
  • Tags ariadne , ariadne-extension , authorization , permissions
  • Requires: Python >=3.9
  • Provides-Extra: dev , types
Classifiers

Release history Release notifications | RSS feed

0.1.1

0.1.0

0.0.1.dev5 pre-release

This version

0.0.1.dev4 pre-release

0.0.1.dev3 pre-release

0.0.1.dev2 pre-release

0.0.1.dev1 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ariadne_auth-0.0.1.dev4.tar.gz (10.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ariadne_auth-0.0.1.dev4-py3-none-any.whl (6.2 kB view details)

Uploaded Python 3

File details

Details for the file ariadne_auth-0.0.1.dev4.tar.gz.

File metadata

  • Download URL: ariadne_auth-0.0.1.dev4.tar.gz
  • Upload date:
  • Size: 10.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for ariadne_auth-0.0.1.dev4.tar.gz
Algorithm Hash digest
SHA256 6506b088e25ccd36f0a0148ea3a0e2484fc3d6e024fcfc19b0a3b2f02fc5fed2
MD5 2f8f4c2764224b6d039ac610d1299c03
BLAKE2b-256 5a8bff9afde51dbefb6e8f94f4b8e99ee4c4789cd488684644b5035948e58d33

See more details on using hashes here.

Provenance

The following attestation bundles were made for ariadne_auth-0.0.1.dev4.tar.gz:

Publisher: publish.yml on mirumee/ariadne-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ariadne_auth-0.0.1.dev4-py3-none-any.whl.

File metadata

File hashes

Hashes for ariadne_auth-0.0.1.dev4-py3-none-any.whl
Algorithm Hash digest
SHA256 86b2de4c96573f9961ae6ad650190b811f477b959d47abb597e836bb95531c74
MD5 4cdacc08aa114b43ba32c0f8cb38cecc
BLAKE2b-256 2dc08f39f1ce6bcff7049312bf1d3ac63da14b7b385634f7207de51191d075fb

See more details on using hashes here.

Provenance

The following attestation bundles were made for ariadne_auth-0.0.1.dev4-py3-none-any.whl:

Publisher: publish.yml on mirumee/ariadne-auth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page