Joel Corona
09/16/2021, 1:50 PMthdxr
09/16/2021, 2:06 PMJoel Corona
09/16/2021, 2:07 PMthdxr
09/16/2021, 2:10 PMJoel Corona
09/16/2021, 2:11 PMOmi Chowdhury
09/16/2021, 2:49 PMgraphql-shield
with apollo. The last REST API I did had individual lambdas for each endpoint/method. For that one I created a shared auth lib. It had two modes - for admin and user functionality.
Admin auth was a function that when called it
• checked you had the admin role on the request object (admin role was stored on the jwt via auth0)
• threw an exception if you weren’t an admin
User auth took in a async check function as a parameter. When called it’d:
• retrieve the user from the DB (unless it was already attached to the request object)
• run the check function, with the user as a parameter (since this function is passed in, it has access to the closure of the calling code, so it can check entity.owner === user.id
etc). Could also make its own db calls if needed, but usually the data needed to authorise had to be loaded by the handler anyway. Check function must return true
• throw an exception is user isn’t found or check function returns not trueDrew
09/17/2021, 1:21 AMOmi Chowdhury
09/17/2021, 1:23 AMJay