@anyfin/acl v1.1.13

🛡 Anyfin ACL

Access control utilities for nodejs services. These can be used with/without graphql.

This is required for all services that are contributing to the client facing apollo federation graph.

Why dont we just implement this in the apollo federation gateway ?

1. Because apollo federation is a gateway. Its only job is to route the requests. It doesnt allow any modification of schema. Hence we cant add any directives at the gateway level that can be used by upstream services.

2. Since the roles and permissions for each field in the schema is controlled by the respective services the logic needs to live within these services itself.

Hence this npm module aims to share the common acl code that is required for these services and aims to keep all the services in sync.

Installation

yarn add @anyfin/acl

Make sure you have installed these peer dependencies on your services

  "graphql": ">=15.0.0",
  "apollo-server-express": ">=2.16.0"

GraphQL Usage

import { authDirectiveTypeDef, AuthDirective } from '@anyfin/acl';
.
.
.
// Register the schema directive
SchemaDirectiveVisitor.visitSchemaDirectives(schema, {
  auth: AuthDirective,
});
.
.
.
// Make sure to add authDirectiveTypeDef to your typedefs
const schema = makeExecutableSchema({
  typeDefs:[...yourTypeDefs, authDirectiveTypeDef],
  resolvers
});

This will add the following directive on your graphql schema

@auth(permissions: [String!], roles: [String!]) on FIELD_DEFINITION

Also, the directive expects that the graphql context has user object from the decoded jwt present in it.

So make sure you decode the jwt from the request header and add it to the context.

export default new ApolloServer({
  schema,
  context: ({ req }: Params) => ({
    .
    .
    user: req.user,
    .
    .
    .
  })
});

Non GraphQL usage:

import { hasUserAccess, Roles, Permissions } from '@anyfin/acl';

const user = {
  roles: [Roles.customer.key],
  permissions: [Permissions.Application.LIST],
};

// Check if user has a permission
hasUserAccess(user, [Permissions.Aml.LIST]); // ---> false
hasUserAccess(user, [Permissions.Application.LIST]); // ---> true
hasUserAccess(user, [Customer.Read.SELF]); // ---> true

// check if user matches a complete role
hasUserAccess(user, [], [Roles.employee.key]); // ---> false
hasUserAccess(user, [Roles.customer.key]); // ---> true

Getting started

1. git clone this repo.
2. yarn install installs dependencies
3. yarn test for test mode.
4. yarn lint for linting.
5. yarn build for building the library.

Deploy/Publish

In order to deploy new versions, simply bump the version in package.json and create a new github release.

Github action should automagically deploy it to npm. ✨

Ownership/Audit

Repo ownership: @a7ul \ Last audit: 2021-01-28 by @msegers