Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hot Chocolate Security Docs. #3584

Merged
merged 28 commits into from
May 23, 2021
Merged

Hot Chocolate Security Docs. #3584

merged 28 commits into from
May 23, 2021

Conversation

michaelstaib
Copy link
Member

No description provided.

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

tobias-tengler
tobias-tengler reviewed Apr 24, 2021
View reviewed changes
Copy link
Collaborator

@tobias-tengler tobias-tengler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job! I was thinking of documenting Authorization myself next. I think this will help a lot of folks! :)

Maybe you could rename the directory from Security to security, so it fits the other directories. I'm not sure how it's handled, but the uppercase letter might look off in the URL.
Also it would be nice, if you could integrate these documents on the website. I would like to read them again on the actual website locally.

website/src/docs/hotchocolate/Security/authorization.md Outdated

We basically can do it in any way ASP.NET core allows us to.

[Overview of ASP.NET Core authentication](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-3.1)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be helpful to add a section on how to access the authenticated user (ClaimsPrincipal) in your resolver.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authorization docs are not done yet ... just copied them from V10.

website/src/docs/hotchocolate/Security/authorization.md Outdated

The `@authorize`-directive on a field takes precedence over one that is added on the object type definition.

SDL-First:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the ExampleTabs would be better suited for the code examples in these documents.

website/src/docs/hotchocolate/Security/authorization.md Outdated
protected override Configure(IObjectTypeDescriptor<Person> descriptor)
{
descriptor.Authorize();
descriptor.Field(t => t.Address).Authorize();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not equivalent to the other examples.

website/src/docs/hotchocolate/Security/authorization.md Outdated

> If the field is a non-null field the standard GraphQL non-null violation propagation rule is applied like with any other GraphQL error and the fields along the path are removed until the execution engine reaches a nullable field or the while result was removed.

## Roles
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could also mention, that in general it would be a good/better idea to do validation of roles inside your business logic layer, i.e. inject the ClaimsPrincipal into your business layer. That way you don't have the issue of roles getting out of sync, if you are for example hosting a REST and GraphQL service side-by-side.

@michaelstaib michaelstaib changed the title Hot Chocolate Security Docs. WIP: Hot Chocolate Security Docs. Apr 25, 2021
@michaelstaib michaelstaib mentioned this pull request Apr 29, 2021
Closed
@michaelstaib michaelstaib changed the base branch from main to develop May 18, 2021 21:39
@michaelstaib michaelstaib self-assigned this May 18, 2021
@michaelstaib michaelstaib added this to the HC-2021-06 milestone May 18, 2021
@michaelstaib michaelstaib changed the title WIP: Hot Chocolate Security Docs. Hot Chocolate Security Docs. May 23, 2021
@michaelstaib michaelstaib merged commit 8c61376 into develop May 23, 2021
@michaelstaib michaelstaib deleted the mst/hot-chocolate-security-docs branch May 23, 2021 21:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tobias-tengler tobias-tengler tobias-tengler left review comments

Assignees

@michaelstaib michaelstaib

Labels
🌶️ hot chocolate 🧰 maintenance 🌶️ website
Projects
None yet
Milestone
HC-2021-08
Development

Successfully merging this pull request may close these issues.
2 participants
@michaelstaib @tobias-tengler