GraphQL only role

lnr · January 13, 2021, 4:04pm

I think it would be helpful to be able to mark a role as “GraphQL only”. All its other role permissions would work as usual (when entered through GraphQL), but it wouldn’t have access to the Fauna shell or any of the libraries that allow arbitrary FQL execution.

The benefit I see is that this would essentially allow finer grain control over the document data that’s exposed (both read and write), as well as only allowing the execution of certain UDFs under controlled circumstances.

The read access should be pretty self explanatory. Say I have a User document and I want to store their email address. I want most of the User document to have public read access but not the email. By excluding email from the GraphQL schema I can easily do this, as long as the role can’t be used to fire up a Fauna shell and read the whole document that way.

Write access is a bit harded to explain, but say I have a Twitter clone (hi Fwitter) and for simplicity I want to store a count of the number of likes in a Tweet document. If a user adds a “like” I want to make sure they haven’t already liked this tweet and then increment the like count. I obviously don’t want to give them blanket write access to the whole Tweet document, and I don’t even want to give them write access to just be able to increment the “like” number via a complex predicate. I want a level of fine grain control which I think is only available if they don’t have a path to run uncontrolled queries.

While the current ABAC rules and predicates are very cool and can be quite powerful, I think this would be a convenient (and beginner friendly) addition.

man2xxl · August 30, 2021, 2:37pm

I’m surprised this doesn’t have more votes. This would allow Fauna to be used as a backend as a service for most apps.

man2xxl · April 8, 2022, 5:19pm

I built Pfunk (www.pfunk.io) largely because this isn’t available.

lnr · April 8, 2022, 7:04pm

That’s really cool. I’ve actually abandoned Fauna since they never fixed the bug I reported in Jan 2021 that was holding my project back for over a year. But if I ever change my mind I’ll take a look at that.

ptpaterson · April 11, 2022, 1:08pm

@lnr We are sorry that you had to leave us since we were unable to add the feature you require soon enough. Although the service is running as expected (not a bug), it is clear it is not as flexible as you and others need it to be.

At this time, we have added the ability to generate UDF’s for the top-level CRUD operations, which provides much more control over your how you apply ABAC to GraphQL. We are still working on a feature to provide UDF control of user-type fields, which is still needed for granular ABAC control of your query at every level.

@man2xxl pfunk looks exciting! great work!

man2xxl · February 24, 2023, 1:53am

Any update on the feature to provide UDF control of user-types fields?

ptpaterson · February 28, 2023, 2:53pm

Hi @man2xxl! Unfortunately not at this time.

We have been hard at work on other features and exciting things coming down the pipe. That said, GraphQL is still very top of mind! The upcoming changes will lay a lot of the groundwork for us to improve the GraphQL service.

Topic		Replies	Views
Read restriction. (field level) Help fql , best-practices	4	261	June 21, 2022
Read only auth for graphql Help graphql , authentication , best-practices	3	581	May 4, 2021
Hiding document properties based on role Help graphql , abac	2	630	April 21, 2023
Read access logged in Users own document Help fql , authentication	4	502	May 4, 2021
Debug best practices for ABAC functions in GraphQL? Help graphql , fql , best-practices	3	477	January 17, 2023

GraphQL only role

Related Topics