Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update authorization.md #4556

Merged
merged 4 commits into from
Jan 6, 2022
Merged

Update authorization.md #4556

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9fb07b7
Update authorization.md
mauricio094 Dec 14, 2021
d43e085
Update authorization.md
michaelstaib Dec 14, 2021
e6b1af3
Merge branch 'main' into patch-3
mauricio094 Dec 22, 2021
e4ff422
Merge branch 'main' into patch-3
michaelstaib Jan 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion website/src/docs/hotchocolate/security/authorization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,32 @@ type User @authorize {
Specified on a type the `@authorize` directive will be applied to each field of that type. Its authorization logic is executed once for each individual field, depending on whether it was selected by the requestor or not. If the directive is placed on an individual field, it overrules the one on the type.

If we do not specify any arguments to the `@authorize` directive, it will only enforce that the requestor is authenticated, nothing more. If he is not and tries to access an authorized field, a GraphQL error will be raised and the field result set to `null`.

> ⚠️ Note: Using the @authorize directive, all unauthorized requests by default will return status code 200 and a payload like this:
```json
{
"errors": [
{
"message": "The current user is not authorized to access this resource.",
"locations": [
{
"line": 2,
"column": 3
}
],
"path": [
"welcome"
],
"extensions": {
"code": "AUTH_NOT_AUTHENTICATED"
}
}
],
"data": {
"welcome": null
}
}
```

## Roles

Expand Down Expand Up @@ -335,7 +361,7 @@ public class Startup

This method also accepts [roles](#roles) and [policies](#policies) as arguments, similiar to the `Authorize` attribute / methods.

Please note that this will prevent unauthorized access to all middleware included in `MapGraphQL`. This includes our GraphQL IDE Banana Cake Pop. If we do not want to block unauthorized access to Banana Cake Pop, we can split up the `MapGraphQL` middleware and for example only apply the `RequireAuthorization` to the `MapGraphQLHttp` middleware.
> ⚠️ Note: Unlike the `@authorize directive` this will return status code 401 and prevent unauthorized access to all middleware included in `MapGraphQL`. This includes our GraphQL IDE Banana Cake Pop. If we do not want to block unauthorized access to Banana Cake Pop, we can split up the `MapGraphQL` middleware and for example only apply the `RequireAuthorization` to the `MapGraphQLHttp` middleware.

[Learn more about available middleware](/docs/hotchocolate/server/middleware)

Expand Down