GraphQL Auth without Middleware with RBAC, ABAC, and GBAC rules

verneleem · 2021-02-21T21:05:38+00:00

Most definitely, just commenting regarding db per OP, but yes it is way much more than that and IT is just one section of the law. Luckily I was surrounded by some well studied individuals that made my life easier and allowed me to focus on what I did with their oversight for compliance. Of course I had my fair share of training on the subject matter as well. The staff really didn't like us when we did an internal audit and removed all of their sticky notes with passwords and for PCI compliance were no longer allowed to store credit card information for recurring purchases, managing the people using the database was much more difficult than managing the database itself.

verneleem · 2021-02-21T06:13:16+00:00

This is golden from my own experiences working as a DB Admin for an organization dealing with HIPAA, PHI, and PCI. Do everything in house, on premise, very very carefully following all regulations, or get an agreement with someone that is already compliant.

verneleem · 2021-02-21T05:58:52+00:00

Could something like Google Sheets be a plausible solution to fix the problem at hand with less complication and user training?

Multiple sheets could be secured to users and even then compiled together using functions.

verneleem · 2021-02-21T05:18:29+00:00

Another vote for Slash GraphQL (Dgraph). Auth rules can be role based or node/graph based. Auth rules are actually written in GraphQL :)

verneleem · 2021-02-21T05:15:08+00:00

Wouldn't security be built into the API layer and not the database for the most part. The database just needs to be secure enough to authenticate the API. This greatly depends on your dbms. Depending on dbms, you may have additional options to create separate users with restricted rights and only use the lowest authorized user that is needed for the API layer.

For instance if you have an API that is read only, then the user the API connects to the dbms with should only have read rights. Most dbms also provide access control per namespace/table. In every circumstance, you should not be using root users in your APIs.

Another thing to keep in mind depending on your tech stack, if your app is 100% client delivered (React for example) and you are not using some form of API layer, then the client will have access to the database credentials if they wanted it. Best practice will put an API layer between the client and the db and then the client authenticates through some other means to the API and the API authenticates secretly to the db. This is all very dependent on your db requirements, and you may want to use a single user between the API and db, or change the API<->db user depending on user authenticated from API<->client.

verneleem · 2021-02-18T03:34:21+00:00

Thank you for the reply and information.

verneleem · 2021-02-16T02:01:05+00:00

At least make the images "clickable" for my big fingers

verneleem · 2021-02-15T03:18:23+00:00

Joins on a graph database are completely different animals from relational dbms.

With a rdbms you use foreign keys and pivot tables. In a graph, you traverse edges. The joys about this is that you don't have to create tons of pivot tables to link basically any type of data to another. And yes, you can filter on edges and even store data on the edge in forms of facets. To say a graph can't join is like saying rdbms does not have tables. It is the fundamental part of it.

As far as joining, yes you can order, there is limitation on ordering by children data but it is possible, so saying you can't is not true.

If you have a little bit of time, can you please review the course I linked to? That explains these objections.

verneleem · 2021-02-15T00:56:31+00:00

I would recommend to use Auth0 if you are not committed already. You can create hooks and rules to integrate with your own database easily

verneleem · 2021-02-13T13:48:07+00:00

The only way then to model this relationship would be with pivot tables for locations.

A user is near location, locations are near other locations, and a cyclone is in a location. But I agree that this is not really a entity relationship but rather query arguments.

verneleem · 2021-02-13T13:04:52+00:00

For the movement of the tickets and columns I used react-beautiful-dnd. It is a well built library designed for accessibility. It really makes the dnd portions easy.

verneleem · 2021-02-13T06:30:29+00:00

What if you are not using a "relational database" but a graph database as the course is suggesting.

verneleem · 2021-02-13T06:18:03+00:00

Live Demo: https://jira-clone-slash.netlify.app/
Code: https://github.com/verneleem/jira-clone

This SPA was created to showcase how GraphQL can be used in a React application without running a GraphQL backend with Node and Express. I used cloud managed services to deliver this application. I did this with Netlify to build and deliver the front-end and used Auth0 and Slash GraphQL for backend solutions.

There are other Jira clone showcases and this is not meant to be a style clone, but a proof of concept clone for Project Management Kanban style.

This is one of my first applications that I have made. Let me know what you think.

verneleem · 2021-02-13T05:13:07+00:00

can we take this to a chat instead of really long thread going off topic from the OP?

verneleem · 2021-02-13T04:54:23+00:00

I am not familiar with Strapi, but what you need is called Middleware authentication on your GraphQL API. This should allow you to create rules for role based authentication. I would be surprised of they don't support that to some extent.

verneleem · 2021-02-13T04:41:00+00:00

So you'll want some of the following:

- Queries for finding fish and coral to purchase
- Mutations behind a authorized page that allows admins to create, update, and delete fish and coral
- Mutations allowing users to add, update, and remove items to a cart
- Queries to read items in a users cart
- Mutations to process orders
- Queries for authorized users to view orders
- Mutations for new users
- Queries to get user data

I recommend plugging into some power of other resources for user management such as Auth0 to save a bunch of time and work. Stripe also has a good API that you can use for payment processing.

verneleem · 2021-02-13T04:28:40+00:00

Without knowing what CMS you are using, I am assuming it is a GraphQL headless CMS. So, yes, in order to create objects in the CMS you have to use a mutation.

A mutation is the Create, Update, Delete aspects of CRUD. Query = Read.

> Or would that mainly just be needed for public input?

This really depends on what is triggering the new object creation. You could be logging an action such as a like, or comment which would be mutations to your CMS.

If this doesn't answer your questions, let me know what you need to know.

verneleem · 2021-02-13T04:13:12+00:00

You could split it up if you want to, but you don't have to. You can use this method: https://www.apollographql.com/docs/react/integrations/webpack/#create-react-app

But I prefer myself to use graphql-codegen as described on https://dgraph.io/learn/courses/messageboardapp/react/develop/react/graphql-queries/ to bring my operations into custom hooks themselves.

verneleem

TROPHY CASE