ScopeAuth Plugin - Prevent User From Accessing Other Group's Data #845

arimgibson · 2023-03-20T01:51:30Z

arimgibson
Mar 20, 2023
Sponsor

Hi all! I'm currently working on an application that consists of users belonging organizations. While there are different roles inside the organization, no one should be able to access data from other organizations.

My original thought, which probably works, is to have the following authScope on each object:

builder.prismaObject('User', {
  runScopesOnType: true,
  authScopes: (user, context) => {
    if (context.user.org.id !== user.organization_id) return false;
    ...
  },
})

However, this is a little repetitive and could be error prone to implement and maintain on every single object. Is there an easier way to do this on a global scope?

Another idea worth mentioning would be to add the user's organization ID to each query's where field, but again, that's quite repetitive. And, because Prisma would return just an empty object when the user's organization doesn't match the organization of the data they're requesting, we wouldn't know if the data simply didn't exist or if the user was unauthorized.

Thanks!

Answered by hayes

Mar 20, 2023

Generally having auth enforced as part of your queries so content the user isn't authorized for is never loaded is ideal (adding conditions to your where clause). Pothos doesn't really provide anything that helps with this though.

There isn't a good way to global define and enforce these rules across multiple objects, because Pothos doesn't really understand the relations between the different objects in a way that would allow knowing if a particular relation denotes ownership/access.

What you can do share/simplify how the auth scope for organizations is defined:

You can create a scope like accessOrganization: string, that does something like

authScopes: (ctx) => ({
  accessOrganization: (id

View full answer

hayes · 2023-03-20T06:19:16Z

hayes
Mar 20, 2023
Maintainer

Generally having auth enforced as part of your queries so content the user isn't authorized for is never loaded is ideal (adding conditions to your where clause). Pothos doesn't really provide anything that helps with this though.

There isn't a good way to global define and enforce these rules across multiple objects, because Pothos doesn't really understand the relations between the different objects in a way that would allow knowing if a particular relation denotes ownership/access.

What you can do share/simplify how the auth scope for organizations is defined:

You can create a scope like accessOrganization: string, that does something like

authScopes: (ctx) => ({
  accessOrganization: (id) => ctx.user.organizationId === id,
})

Then on your objects:

builder.prismaObject('User', {
  runScopesOnType: true,
  authScopes: (user) => ({ accessOrganization: user.organizationId }),
 ...
})

Not sure if this helps

1 reply

arimgibson Mar 20, 2023
Author Sponsor

That does help, thank you! Always good to know that I was on the right path and didn't miss a better way of doing this. The accessOrganization with the parameter is really smart though, and that definitely simplifies a bit. Will end up doing the same thing for users who shouldn't access another user's data 😄

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ScopeAuth Plugin - Prevent User From Accessing Other Group's Data #845

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

ScopeAuth Plugin - Prevent User From Accessing Other Group's Data #845

arimgibson Mar 20, 2023 Sponsor

Replies: 1 comment · 1 reply

hayes Mar 20, 2023 Maintainer

arimgibson Mar 20, 2023 Author Sponsor

arimgibson
Mar 20, 2023
Sponsor

Replies: 1 comment 1 reply

hayes
Mar 20, 2023
Maintainer

arimgibson Mar 20, 2023
Author Sponsor