GraphQL-Authz is a Python port of GraphQL-Authz, the Casbin authorization middleware implementation in Node.js.
This package should be used with GraphQL-core 3, providing the capability to limit access to each GraphQL resource with the authorization middleware.
Install the package using pip.
pip install casbin-graphql-authz
Limit the access to each GraphQL resource with a policy. For example, given this policy for an RBAC model:
p, authorized_user, hello, query
Authorization can be enforced using:
import casbin
from authz.middleware import enforcer_middleware
from graphql import (
graphql_sync,
GraphQLSchema,
GraphQLObjectType,
GraphQLField,
GraphQLString,
)
schema = GraphQLSchema(
query=GraphQLObjectType(
name="RootQueryType",
fields={
"hello": GraphQLField(
GraphQLString,
resolve=lambda obj, info: "world")
}))
enforcer = casbin.Enforcer("model_file.conf", "policy_file.csv")
authorization_middleware = enforcer_middleware(enforcer)
query = """{ hello }"""
# Authorized user ("authorized_user") has access to data
response = graphql_sync(
schema,
query,
middleware=[authorization_middleware],
context_value={"role": "authorized_user"}
)
assert response.data == {"hello": "world"}
# Unauthorized users ("unauthorized_user") are rejected
response = graphql_sync(
schema,
query,
middleware=[authorization_middleware],
context_value={"role": "unauthorized_user"}
)
assert response.errors[0].message == "unauthorized_user can not query hello"
For more interesting scenarios see tests
folder.
Implementation was heavily inspired by the Node.js middleware GraphQL-Authz.
Authorization enforcement is based on Casbin authorization library.