View Source Authorize with GraphQL

AshGraphql uses three special keys in the absinthe context:

  • :actor - the current actor, to be used for authorization/preparations/changes
  • :tenant - a tenant when using multitenancy.
  • :ash_context - a map of arbitrary context to be passed into the changeset/query. Accessible via changeset.context and query.context

By default, authorize? in the domain is set to true. To disable authorization for a given domain in graphql, use:

graphql do
  authorize? false

If you are doing authorization, you'll need to provide an actor.

To set the actor for authorization, you'll need to add an actor key to the absinthe context. Typically, you would have a plug that fetches the current user and uses Ash.PlugHelpers.set_actor/2 to set the actor in the conn (likewise with Ash.PlugHelpers.set_tenant/2).

Just add AshGraphql.Plug somewhere after that in the pipeline and the your GraphQL APIs will have the correct authorization.

defmodule MyAppWeb.Router do
  pipeline :api do
    # ...
    plug :get_actor_from_token
    plug AshGraphql.Plug

  scope "/" do
    forward "/gql", Absinthe.Plug, schema: YourSchema

    forward "/playground",
          schema: YourSchema,
          interface: :playground

  def get_actor_from_token(conn, _opts) do
     with ["" <> token] <- get_req_header(conn, "authorization"),
         {:ok, user, _claims} <- MyApp.Guardian.resource_from_token(token) do
      |> set_actor(user)
    _ -> conn

Policy Breakdowns

By default, unauthorized requests simply return forbidden in the message. If you prefer to show policy breakdowns in your GraphQL errors, you can set the config option:

config :ash_graphql, :policies, show_policy_breakdowns?: true
  "data": {
    "attendanceRecords": null
  "errors": [
      "code": "forbidden",
      "fields": [],
      "locations": [
          "column": 3,
          "line": 2
      "message": "\n\n\n\n\nPolicy Breakdown\n  Policy | ⛔:\n    forbid unless: actor is active | ✓ | ⬇    \n    authorize if: actor is Executive | ✘ | ⬇",
      "path": ["attendanceRecords"],
      "short_message": "forbidden",
      "vars": {}

Be careful, as this can be an attack vector in some systems (i.e "here is exactly what you need to make true to do what you want to do").