Permit.Absinthe (permit_absinthe v0.1.0)
Integration between Permit authorization and Absinthe GraphQL.
This lets you map GraphQL types to Ecto schemas and automatically handle authorization in your resolvers. No more manually checking permissions in every resolver or worrying about unauthorized data leaking through.
Basic setup - add it to your schema:
defmodule MyAppWeb.Schema do
use Absinthe.Schema
use Permit.Absinthe, authorization_module: MyApp.Authorization
endMap GraphQL types to schemas:
object :post do
permit schema: MyApp.Blog.Post
field :id, :id
field :title, :string
endThen use the built-in resolvers for automatic loading and authorization:
query do
field :post, :post do
arg :id, non_null(:id)
resolve &load_and_authorize/2 # loads and checks permissions
end
field :posts, list_of(:post) do
resolve &load_and_authorize/2 # returns only accessible posts
end
endCustom ID fields work too:
field :post_by_slug, :post do
permit action: :read, id_param_name: :slug, id_struct_field_name: :slug
arg :slug, non_null(:string)
resolve &load_and_authorize/2
endFor mutations and complex scenarios, use middleware and a custom resolver instead:
field :update_post, :post do
permit action: :update
middleware Permit.Absinthe.Middleware.LoadAndAuthorize
resolve fn _, args, %{context: %{loaded_resource: post}} ->
# post is already loaded and authorized
MyApp.Blog.update_post(post, args)
end
endWorks with Dataloader for efficient batch loading:
field :comments, list_of(:comment) do
permit action: :read
resolve &authorized_dataloader/3
endYou can also use directives if visibility in the schema is important. Add the prototype schema:
# Inside the schema module
@prototype_schema Permit.Absinthe.Schema.PrototypeThen use the :load_and_authorize directive on fields:
field :posts, list_of(:post), directives: [:load_and_authorize] do
permit action: :read
resolve fn _, _, %{context: %{loaded_resources: posts}} ->
{:ok, posts}
end
endAuthorization happens automatically based on your Permit rules. Returns
{:error, "Unauthorized"} or {:error, "Not found"} when access is denied.
Summary
Functions
Dataloader resolver that batches queries while checking authorization.
Maps GraphQL types and fields to Permit resources and actions.
Functions
Dataloader resolver that batches queries while checking authorization.
Prevents N+1 queries by batching database calls, but still applies your Permit authorization rules. Great for loading associations efficiently.
Use it like a standard dataloader resolver:
object :post do
permit schema: MyApp.Blog.Post
field :id, :id
field :title, :string
field :comments, list_of(:comment), resolve: &authorized_dataloader/3
endYou'll need to set up Dataloader in your schema as usual:
def plugins do
[Absinthe.Middleware.Dataloader | Absinthe.Plugin.defaults()]
endAnd add the dataloader setup middleware to fields that use it:
field :post, :post do
permit action: :read
middleware Permit.Absinthe.Middleware.DataloaderSetup
endSee Permit.Absinthe.Resolvers.LoadAndAuthorize.load_and_authorize/2.
Maps GraphQL types and fields to Permit resources and actions.
Use this to tell Permit which Ecto schema a GraphQL type represents, what action to authorize, or customize how resources are loaded.
Map a type to a schema:
object :article do
permit schema: Blog.Content.Article
# ...
endSpecify an action for a field:
field :create_article, :article do
permit action: :create
# ...
endCustom ID lookups:
field :article_by_slug, :article do
permit action: :read, id_param_name: :slug, id_struct_field_name: :slug
# ...
endOptions:
:schema- Ecto schema this type represents:action- Action to authorize (required for mutations, defaults to:read):id_param_name- Parameter name for lookups (defaults to:id):id_struct_field_name- Struct field to match against (defaults to:id)