graphql-rbac provides you a simple way to use Role-based access control in GraphQL. This package integrates with graphql-shield which helps you create a permission layer for your application. Using a schema with array of role, graphql-rbac can help you generate rule functions in graphql-shield. So you can easily use RBAC in your application by providing a schema.
- Easy to specify rule permissions for each field in GraphQL.
- Don't need to write rule function by yourself.
yarn add graphql-rbacimport { RBAC } from 'graphql-rbac' const roles = ['ADMIN', 'DEVELOPER'] const schema = { Query: { users: ['ADMIN', 'DEVELOPER'] }, Mutation: { createUser: ['ADMIN', 'DEVELOPER'], updateUser: ['ADMIN', 'DEVELOPER'], deleteUser: ['ADMIN'] }, User: { password: ['ADMIN'] } } const typeDefs = ` type Query { users: [User!]! } type Mutation { createUser: User! updateUser: User! deleteUser: User } type User { username: String! password: String! } ` const resolvers = { Query: { users: () => [ { username: 'Tom', password: '****' }, { username: 'John', password: '****' }, ] }, Mutation: { createUser: () => { username: 'Tom', password: '****' }, updateUser: () => { username: 'John', password: '****' }, deleteUser: () => null } } const users = { admin: { role: 'ADMIN' }, developer: { role: 'DEVELOPER' } } const getUser = async (req) => { const auth = req.request.headers.authorization let user = {} if (users[auth]) { user = users[auth] } return user } const rbac = new RBAC({roles, schema, getUser}) const server = new GraphQLServer({ typeDefs, resolvers, middlewares: [rbac.middleware()], context: req => ({ user: rbac.context(req) }), })npm run test Apache-2.0
