I'm attempting to give my fulcro full stack app another go and am coming across some difficulty understanding how to properly handle authentication and authorization with pathom.
My current approach has had me install a middle ware in my server before my call to process , i then parsed all the mutations out of the request and check the data attributes on the mutation definitions to decide if the given user has permissions to call said mutation. This approach doesn't really seem feasible for resolvers however (perhaps i am wrong?). I saw something about guards but i haven't been able to find that documentation anymore. Am I doing it right? Any examples of people doing authorization and roles with patom? I would like to clearly demarcate which resolvers and endpoints are accessible under which conditions.
I'm using fulcro defattr to do my models and generate resolver with fulcro-rad-sql, but a similar approach could be take with vanilla pathom: I made a small lib, pathau, that augments incoming queries if they have attributes that require some sort of authz, by adding an authz attribute, eg :that-entity/authz then I have a plugin that based on the authz of the user in regard to that entity, removes some attributes that they are not allowed to see Advantages: • can leverage batch resolution of required attributes to establish authz • fine grained authorization: can be decided at attribute level
Thanks, something like this was exactly what I was after
I do #3 on the top comment. It works, but it's not a very satisfying solution. It requires a lot of manual and error prone work, and it results in a lot of repetitive checks. You can create your own infrastructure to alleviate some of that pain, but you are really on your own.