UNPKG

@txstate-mws/graphql-server

Version:

A simple graphql server designed to work with typegraphql.

github.com/txstate-etc/graphql-server

txstate-etc/graphql-server

112 lines (111 loc) 4.61 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.AuthorizedServiceSync = exports.AuthorizedService = exports.BaseService = void 0; const txstate_utils_1 = require("txstate-utils"); class BaseService { constructor(ctx) { this.ctx = ctx; } get loaders() { return this.ctx.loaders; } get auth() { return this.ctx.auth; } svc(ServiceType) { return this.ctx.svc(ServiceType); } timing(...messages) { this.ctx.timing(...messages); } requireAuth() { this.ctx.requireAuth(); } } exports.BaseService = BaseService; /** * Use this as a base class for your service to add a removeUnauthorized method that can * help you filter out objects the current user isn't allowed to see. */ class AuthorizedService extends BaseService { async removeUnauthorized(objects) { if (objects == null) return undefined; if (Array.isArray(objects)) { const visible = await (0, txstate_utils_1.filterAsync)(objects.filter(txstate_utils_1.isNotNull), async (obj) => await this.mayView(obj)); return await Promise.all(visible.map(async (obj) => await this.removeProperties(obj))); } if (await this.mayView(objects)) return await this.removeProperties(objects); } /** * Override this method for any services that need to hide certain properties * from unauthorized users. For example, a User record might be visible to everyone * for directory purposes, but User.socialSecurityNumber needs to be removed * for all but the most privileged viewers. * * Do NOT mutate the object given, it will be cached in various dataloaders and you * don't want to alter the cache. Return a new cloned object instead. You may find * the txstate-utils functions clone, pick, and omit functions especially helpful. * * Removing foreign key info in this function can be problematic. */ async removeProperties(object) { return object; } /** * Override this method for any services that need to filter the entire object * from unauthorized users. For example an Address record may only be visible * under a certain context where user is looking at their own address. Returning * a false would filter out the address object so that an undefined would be * returned or the object would be remove from lists. */ async mayView(obj) { return true; } } exports.AuthorizedService = AuthorizedService; /** * This class is the same idea as AuthorizedService but it expects you to have everything you * need to authorize release of an object already loaded, so that you will not have to make any * async calls. If you can do that, it will greatly improve performance as you will not have to make * several new promises per array element, which is rather expensive. */ class AuthorizedServiceSync extends BaseService { removeUnauthorized(objects) { if (objects == null) return undefined; if (Array.isArray(objects)) { const visible = objects.filter(obj => obj != null && this.mayView(obj)); return visible.map(obj => this.removeProperties(obj)); } if (this.mayView(objects)) return this.removeProperties(objects); } /** * Override this method for any services that need to hide certain properties * from unauthorized users. For example, a User record might be visible to everyone * for directory purposes, but User.socialSecurityNumber needs to be removed * for all but the most privileged viewers. * * Do NOT mutate the object given, it will be cached in various dataloaders and you * don't want to alter the cache. Return a new cloned object instead. You may find * the txstate-utils functions clone, pick, and omit especially helpful. * * Removing foreign key info in this function can be problematic. */ removeProperties(object) { return object; } /** * Override this method for any services that need to filter the entire object * from unauthorized users. For example an Address record may only be visible * under a certain context where user is looking at their own address. Returning * a false would filter out the address object so that an undefined would be * returned or the object would be remove from lists. */ mayView(obj) { return true; } } exports.AuthorizedServiceSync = AuthorizedServiceSync;