Authorization in TypeGraphQL with permission layer like GraphQL Shield.

I often use TypeGraphQL + Prisma + typegraphql-prisma for backend applications. Firstly, all the goodness of GraphQL on Node.js, and then adding complete TypeScript support makes this combo unbeatable! The integration is just that good. I get all the CRUD resolvers and schema types ahead of time so I can build custom resolvers a lot faster than if I was just building my own resolvers, and managing my own database schema separately.

Check this link if you want to know what I mean: https://typegraphql.com/docs/prisma.html

Now, this article is going to be useful if you already know what we are going to be working with here: TypeGraphQL and looking at implementing authorization for your API.

Coming to the topic of Authorization

My GraphQL APIs often need authorization. TypeGraphQL allows role-based authorization out-of-the-box. So if I had “ADMIN” type users and “USER” type users, I could easily write an Authorized(“ADMIN”) to authorize only admins to access certain resolvers.

But let’s take a little more complex scenario, however a bit vague. Let's say I have a social media application and I want users to be able to only edit posts created by them. Further, I want users to be able to comment on some posts but not on others. How do we define roles for such scenarios? I find it hard to implement a logical way.

Instead, years back, I used to implement a permission layer of rules for such use-cases in graphql shield. I can define reusable roles such as isAuthenticated, or isAuthor, or isAllowedToComment etc to determine permissions for each user. Moreover, I can combine multiple of these rules using boolean logic such as (Rule A OR Rule B) AND Rule C. That is complex to do with what TypeGraphQL, or so it seems to me at least.

The solution to this complexity

typegraphql-authchecker. I love using TypeGraphQL and Prisma. So I decided that I wanted a permissions layer for authorization in the framework. And the package delivers those little functionalities to make that happen. I can chain rules, implement boolean logic on them and more (check the project link for the documentation). Of course, it is probably not stable and I have not spent enough time on it. But that is why I put it out here, in the open so I can have your help to make it complete.

Hope that you found this useful! Find me on Twitter if you have any comments about this article, or anything else.

I have also been working on Deploifai that is a modern cloud platform for data and AI. Check it out if you work with things like Jupyter/TensorFlow/PyTorch on the cloud.

Thanks a lot for reading!

--

--

--

Machine Learning, DevOps and Robotics.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Line Follower Robot Algorithm & Optimizations for Better Line Following

AWS Ephemera — Debugging Doubled S3 Hostnames

Fill missing values using MongoDB aggregation framework

Fun with Skyboxes in Unity

Implementing Kanban Quickly, Simply and Competently

Ready-to-go Spark NLP environment in SageMaker Studio

How to Construct Your Static Library?

How we improved our Python backend start-up time

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Utkarsh Goel

Utkarsh Goel

Machine Learning, DevOps and Robotics.

More from Medium

Unit testing made easy with NestJS — part 02 for GraphQL + MongoDB backend article series!

Managing and deploying NodeJS monorepo project

Monolith to Micro Frontends

Implementing Externally Defined Configuration Settings in NestJS