https://github.com/treedomtrees/mercurius-auth-opa
Mercurius Auth directive using Open Policy Agent
https://github.com/treedomtrees/mercurius-auth-opa
Last synced: 10 months ago
JSON representation
Mercurius Auth directive using Open Policy Agent
- Host: GitHub
- URL: https://github.com/treedomtrees/mercurius-auth-opa
- Owner: treedomtrees
- License: mit
- Created: 2024-06-10T07:09:50.000Z (about 2 years ago)
- Default Branch: master
- Last Pushed: 2024-07-23T13:59:05.000Z (almost 2 years ago)
- Last Synced: 2024-11-29T16:43:34.499Z (over 1 year ago)
- Language: TypeScript
- Homepage: https://www.npmjs.com/package/@treedom/mercurius-auth-opa
- Size: 22.5 KB
- Stars: 5
- Watchers: 6
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# @treedom/mercurius-auth-opa
Mercurius Auth OPA is a plugin for Mercurius that adds an Authentication and Authorization directive using Open Policy Agent
__Made with β€οΈ atΒ Β [
](#-join-us-in-making-a-difference-)__, [join us in making a difference](#-join-us-in-making-a-difference-)!
## Usage
```typescript
import { opaAuthPlugin } from "@treedom/mercurius-auth-opa";
import { opaAuthDirective } from "@treedom/mercurius-auth-opa/opaAuthDirective";
const schema = `#graphql
${opaAuthDirective}
type Query {
ping(message: String!): String! @opa(path: "my/opa/policy", options: { ... })
}`
app.register(mercurius, {
schema,
resolvers: {
Query: {
ping: (source, args) => args.message,
},
},
})
app.register(opaAuthPlugin, {
opaEndpoint: 'https://my.opa.endpoint',
})
```
## OPA policy input
This plugin queries OPA providing the following properties as `input`
- `headers` the Fastify headers object
- `parent` the Mercurius parent object of the field/object which got queried
- `args` the Mercurius args object of the field/object which got queried
- `options` static untyped properties defined in the directive arguments _(optional)_
### Example Rego Policy
Let's imagine a GraphQL server which accept requests authorized using JWTs containing the `role` property in their claims.
The following Rego uses a hypotetical `oidc.verify_token` that validates the JWT signature and returns the token claims
or false if the token is not valid.
```rego
package my.opa.policy
import rego.v1
import data.oidc
default allow := false
allow if {
user := oidc.verify_token(input.headers.authorization)
user
user.role = "admin"
}
```
## Custom directive
The authorization directive can be customized registering a custom one in the schema and specifying its name in the plugin configuration
```graphql
scalar OpaOptions
directive @policy(path: String!, options: OpaOptions) on OBJECT | FIELD_DEFINITION
```
```typescript
app.register(opaAuthPlugin, {
// ...
authDirective: 'policy'
})
```
```typescript
app.register(opaAuthPlugin, {
// ...
opaOptions: {
// ...
}
})
```
## π³ Join Us in Making a Difference! π³
We invite all developers who use Treedom's open-source code to support our mission of sustainability by planting a tree with us. By contributing to reforestation efforts, you help create a healthier planet and give back to the environment. Visit our [Treedom Open Source Forest](https://www.treedom.net/en/organization/treedom/event/treedom-open-source) to plant your tree today and join our community of eco-conscious developers.
Additionally, you can integrate the Treedom GitHub badge into your repository to showcase the number of trees in your Treedom forest and encourage others to plant new ones. Check out our [integration guide](https://github.com/treedomtrees/.github/blob/main/TREEDOM_BADGE.md) to get started.
Together, we can make a lasting impact! ππ
## Contributing
Contributions are welcome! Please read the contributing guidelines before submitting a pull request.
## License
This project is licensed under the MIT License.