How to prevent a user to access data of an other user?

Phoenix Forum Questions / Help
, , ,
1

I’m working on a codebase composed of Phoenix+Absinthe+Ecto.

I’m looking for the right pattern to prevent a user to access data of another user through the GraphQL API.

For example let’s say a user has a login and an email (for authentication) and posts. I want other users to be able to see author of a post (ie: login of a user) but not other user’s email.

I have seen many concepts related to authorizations/permissions in Absinthe:

  • meta
    • private: true (don’t know what it enforce)
  • middleware
  • scopes (like scope: false or scope: Some.Module)
  • rules
  • Rajska.Authorization

I have also some part of the schema that goes directly from Absinthe to Ecto, without any resolver (some black magic introspection like might operate).

Most of them are already used in the code base. But they mainly ensure that the user is authenticated, is of role “user” and have some permissions like “read:profile”. But with that, a user can read the profile of an other.

I find the documentation or Absinthe pretty scarce on this aspect and tutorial I found on the web don’t go that deep.

What is the right approach to secure my API ?

2

There is a good book co-written by one of the authors of the library; Craft GraphQL APIs in Elixir with Absinthe: Flexible, Robust Services for Queries, Mutations, and Subscriptions by Bruce Williams and Ben Wilson

2 Likes
3

:open_mouth:
󠀠󠀠󠀠󠀠󠀠

4

Welcome to the “fun” of graphql, where you have to keep track at all times of who’s asking. You’re about to become very familiar with the word “resolvers”.

You’ll need something like this:

# in your user type
object :user do
  field!(:id, :id)
  field!(:login, :string)
  field(:email, :string, resolve: &Resolvers.UserResolver.resolve_email/3)
end

# the resolver it talks to
defmodule MyAppWeb.Resolvers.UserResolver do
  def resolve_email(%{id: user_id, email: email}, _args, %{context: %{current_user: current_user}}) do
    if current_user.id == user_id do
      {:ok, email}
    else
      {:error, :unauthorized}
    end
  end
end

In a nutshell, this overrides the way the user’s email is looked up from the user struct, and delegates it to the resolve_email method, which receives the user struct it’s acting on in the first argument. The context is available in the 3rd argument and you can check its current_user to figure out if you should be sending back the email or not.

I agree the docs are somewhat lacking, this is a basic pattern you will be doing A LOT and it took me longer than i would like to admit to figure it out too.

4 Likes
5

That’s what I opted for and it works.
Thanks a lot for you reply.