npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

loopback-graphql-checkacl

v0.56.0

Published

Add Apollo Server or GraphQL queries on your Loopback server with ACL capabilities

Downloads

20

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

alt17alt17

Keywords

LoopbackGraphQLApolloExpressJavascriptRESTAPIs

Readme

GraphQL Server for Loopback (Apollo Server)

CheckACL variation

Combine the powers of ApolloStack GraphQL with the backend of Loopback. All of Loopback models are exposed as GraphQL Queries. Define models in Loopback to be exposed as REST APIs and GraphQL queries and mutations *. Use the Apollo clients to access your data. NEW: Use Loopback ACL's to check user authentication to access the graphql endpoint and authorization for every document property.

Loopback Graphql

Getting started

npm install loopback-graphql-checkacl

Add the loopback-graphql component to the server/component-config.json:

"loopback-graphql": {
    "path": "/graphql",
    "graphiqlPath":"/graphiql",
    "checkIfAuthenticated": true
  }

Requests will be posted to path path. (Default: /graphql);

Graphiql is available on graphiqlPath path. (Default: /graphiql);

There's an unresolved bug in loopback that affects the behaviour of loopback-graphql-checkacl: https://github.com/strongloop/loopback/issues/2153

We made a patch for loopback/common/models/acl.js:

(acl.js line 232) Replace:

232      if (!req.isWildcard()) {
233        permission = candidate.permission;
234        break;
235      } else {

By:

232      if (!req.isWildcard()) {
233        // We should stop from the first match for non-wildcard
234        permission = candidate.permission;
235
236        // Not really. We must find the first permission that matches our request
237        var new_candidate = acls.find((acl) => {
238          return ((acl.principalType === principalType) && (acl.principalId === principalId));
239        });
240        if (new_candidate) {
241          candidate = new_candidate;
242        }
243
244        permission = candidate.permission;
245        break;
246      } else {

Add a break in next 'else':

      } else {
        if (req.exactlyMatches(candidate)) {
          permission = candidate.permission;
          break;
        }
        // For wildcard match, find the strongest permission
        var candidateOrder = AccessContext.permissionOrder[candidate.permission];
        var permissionOrder = AccessContext.permissionOrder[permission];
        if (candidateOrder > permissionOrder) {
          permission = candidate.permission;
        }
        break; // <<<--------------------
      }
    }

Usage

Access the Graphiql interface to view your GraphQL model onthe Docs section. Build the GraphQL queries and use them in your application.

geoPoint objects are supported as follow:

{"newNote": 
  {
    "location": {"lat":40.77492964101182, "lng":-73.90950187151662}
  }
}

How to check authentication

Every request to GraphQL endpoint must have the 'access_token' parameter.

http://yourserver/graphql?access_token=dxVEyZfnI6LHmWiqoBucvU2pDlSKh0PGpooanxdx1nFUGIGpsPYhkplZhygnTbAf

Look at server/component-config.json for "checkIfAuthenticated" option. What this options do is to check first is the user is correctly authenticated. If not, then GraphQL will raise an error:

{
  "error": "Unauthenticated",
  "data": null
}

Otherwise GraphQL will continue checking the ACLs for every property of your model. For instance, if you want authenticated users to read Customer's firstName but not Customer's lastName your model ACL will look like this:

  "acls": [
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$unauthenticated",
      "permission": "DENY"
    },
    {
      "accessType": "*",
      "principalType": "ROLE",
      "principalId": "$authenticated",
      "property": "firstName",
      "permission": "ALLOW"
    }
  ],

So, if you are an authenticated user, and you make the query with a valid access_token parameter you will get this:

Query:

{
  allCustomers(first: 10) {
    firstName
    lastName
  }
}

Result:

{
  "data": {
    "allCustomers": [
      {
        "firstName": "1",
        "lastName": "N/A"
      },
      {
        "firstName": "Renate",
        "lastName": "N/A"
      }
    ]
  }
}