https://github.com/cerbos/demo-graphql

A Typescript GraphQL demo of integrating Cerbos with GQL
https://github.com/cerbos/demo-graphql

access-control graphql nodejs policy security typescript

Last synced: 9 months ago
JSON representation

A Typescript GraphQL demo of integrating Cerbos with GQL

• Host: GitHub
• URL: https://github.com/cerbos/demo-graphql
• Owner: cerbos
• License: apache-2.0
• Created: 2021-03-28T13:02:20.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2024-06-20T08:31:28.000Z (about 2 years ago)
• Last Synced: 2024-06-21T21:07:43.357Z (about 2 years ago)
• Topics: access-control, graphql, nodejs, policy, security, typescript
• Language: TypeScript
• Homepage: https://cerbos.dev
• Size: 976 KB
• Stars: 13
• Watchers: 16
• Forks: 5
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Demo GraphQL

This project showcases using Cerbos inside of a GraphQL server.

To enable batching of requests, the authorization calls are performed via a [dataloader](https://github.com/graphql/dataloader) instance which is configured per request in the [GraphQL server context](/src/context.ts) and automatically adds in the principal information from the request.

## Setup

- Have Node v22+ on your machine (recommend using NVM)

- Run `npm install` to get the node dependencies.

## Running

To boot the GraphQL server and Cerbos instance run `npm run start`

Once running, you can access GraphQL Playground [http://localhost:4000/](http://localhost:4000/). You must set a token (as per below) as a request header for the schema introspection to work.

## Policies

- IT can do everything

- Users can create invoices

- Users can view their invoices

- Users can update their own un-approved invoices

- Users can delete their own un-approved invoices

- Managers view all invoices in their region

- Managers update un-approved invoices in their region

- Managers delete un-approved invoices in their region

- Finance can view all invoices

- Finance can approve all invoices

## Sample Queries

To run these you need to set an HTTP header called `token` which identifies the user (and thus their permissions)

![Setting token](auth.png)

Some exampe tokens:

- `key:sajit:it` is an IT Admin

- `key:joe:finance` is an EMEA Finance person

- `key:sally:sales` is an EMEA Salesperson

- `key:zeena:sales` is an North America sales person

- `key:john:manager-emea` is an EMEA Manager in sales

- `key:brock:manager-na` is a North America Manager in sales

### Get an Expense

```

{

  expense(id: "expense2") {

    id

    amount

    status

    vendor {

      name

    }

    createdBy {

      name

    }

    approvedBy {

      name

    }

  }

}

```

### Approve an Expense

```

mutation {

  approveExpense(id: "expense1")

}

```

## Demo Video - Watch this demo with commentary



    
Cerbos GraphQL Demo - Watch Video


    



## Playground

Launch the policy from this demo in our playground. Play with it to see how Cerbos behaves.