ash_graphql/documentation/topics/authorize-with-graphql.md

# Authorize with GraphQL

AshGraphql uses three special keys in the `absinthe` context:

- `:actor` - the current actor, to be used for authorization/preparations/changes
- `:tenant` - a tenant when using [multitenancy](https://hexdocs.pm/ash/multitenancy.html).
- `:ash_context` - a map of arbitrary context to be passed into the changeset/query. Accessible via `changeset.context` and `query.context`

By default, `authorize?` in the domain is set to true. To disable authorization for a given domain in graphql, use:

```elixir
graphql do
  authorize? false
end
```

If you are doing authorization, you'll need to provide an `actor`.

To set the `actor` for authorization, you'll need to add an `actor` key to the
absinthe context. Typically, you would have a plug that fetches the current user and uses `Ash.PlugHelpers.set_actor/2` to set the actor in the `conn` (likewise with `Ash.PlugHelpers.set_tenant/2`).

Just add `AshGraphql.Plug` somewhere _after_ that in the pipeline and the your
GraphQL APIs will have the correct authorization.

```elixir
defmodule MyAppWeb.Router do
  pipeline :api do
    # ...
    plug :get_actor_from_token
    plug AshGraphql.Plug
  end

  scope "/" do
    forward "/gql", Absinthe.Plug, schema: YourSchema

    forward "/playground",
          Absinthe.Plug.GraphiQL,
          schema: YourSchema,
          interface: :playground
  end

  def get_actor_from_token(conn, _opts) do
     with ["" <> token] <- get_req_header(conn, "authorization"),
         {:ok, user, _claims} <- MyApp.Guardian.resource_from_token(token) do
      conn
      |> set_actor(user)
    else
    _ -> conn
    end
  end
end
```

## Policy Breakdowns

By default, unauthorized requests simply return `forbidden` in the message. If you prefer to show policy breakdowns in your GraphQL errors, you can set the config option:

```elixir
config :ash_graphql, :policies, show_policy_breakdowns?: true
```

```json
{
  "data": {
    "attendanceRecords": null
  },
  "errors": [
    {
      "code": "forbidden",
      "fields": [],
      "locations": [
        {
          "column": 3,
          "line": 2
        }
      ],
      "message": "MyApp.Authentication.User.read\n\n\n\n\nPolicy Breakdown\n  Policy | ⛔:\n    forbid unless: actor is active | ✓ | ⬇    \n    authorize if: actor is Executive | ✘ | ⬇",
      "path": ["attendanceRecords"],
      "short_message": "forbidden",
      "vars": {}
    }
  ]
}
```

Be careful, as this can be an attack vector in some systems (i.e "here is exactly what you need to make true to do what you want to do").

## Field Policies

Field policies in AshGraphql work by producing a `null` value for any forbidden field, as well as an error in the errors list.

> ### nullability {: .warning}
>
> Any fields with field policies on them should be nullable. If they are not nullable, the _parent_ object will also be `null` (and considered in an error state), because `null` is not a valid type for that field.

To make fields as nullable even if it is not nullable by its definition, use the `nullable_fields` option.

```elixir
graphql do
  type :post

  nullable_fields [:foo, :bar, :baz]
end
```
docs: Fix minor typos in headings (#53) 2023-01-24 16:42:11 +13:00			`# Authorize with GraphQL`
improvement: support `ash_context` key 2021-04-20 08:17:35 +12:00
feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			AshGraphql uses three special keys in the `absinthe` context:
improvement: support `ash_context` key 2021-04-20 08:17:35 +12:00
docs: documentation overhaul 2024-05-02 07:59:26 +12:00			- `:actor` - the current actor, to be used for authorization/preparations/changes
			- `:tenant` - a tenant when using [multitenancy](https://hexdocs.pm/ash/multitenancy.html).
			- `:ash_context` - a map of arbitrary context to be passed into the changeset/query. Accessible via `changeset.context` and `query.context`
fix: update to latest ash 2021-04-04 06:43:42 +12:00
improvement!: port AshGraphql to Ash 3.0 (#123) Step 1: update Ash Step 2: mass rename Api to Domain Step 3: Ash.Query.expr -> Ash.Expr.expr Also change ref interpolation Step 4: remove all warnings Step 5: remove registries from tests Step 6: fix filter Step 7: private? -> !public? Step 8: Ash.Calculation -> Ash.Resource.Calculation Step 9: use depend_on_resources/1 -> resources/1 Step 10: add Domain to all resources Step 11: use Ash module for all actions Step 12: add public? true all around Step 13: remove verbose? from options passed during Domain calls Step 14: add simple_sat Step 15: Ash.ErrorKind is no more, so remove code from errors Step 16: sprinkle default_accept :* around tests Step 17: replace Ash.Changeset.new/2 with Ash.Changeset.for_* Step 18: calculation fixups - Context is now a struct and arguments go under the arguments key - Function based calculations receive a list of records - Add a select to query-based loads - select -> load Step 19: pass the correct name to pass the policy in tests Step 20: Ash.Query.new/2 is no more Step 21: add AshGraphql.Resource.embedded? utility function Use that instead of Ash.Type.embedded_type?(resource_or_type) since resources are not types anymore Step 22: handle struct + instance_of: Resource in unions Resources are not type anymore so they need to be passed this way in unions Step 23: ensure we only check GraphQL actions for pagination All reads are now paginated by default, so this triggered a compilation error Step 24: swap arguments for sort on calculations Step 25: remove unused debug? option 2024-04-02 07:03:06 +13:00			By default, `authorize?` in the domain is set to true. To disable authorization for a given domain in graphql, use:
fix: update to latest ash 2021-04-04 06:43:42 +12:00
			```elixir
			`graphql do`
			`authorize? false`
			`end`
			```

			If you are doing authorization, you'll need to provide an `actor`.

feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			To set the `actor` for authorization, you'll need to add an `actor` key to the
docs: documentation overhaul 2024-05-02 07:59:26 +12:00			absinthe context. Typically, you would have a plug that fetches the current user and uses `Ash.PlugHelpers.set_actor/2` to set the actor in the `conn` (likewise with `Ash.PlugHelpers.set_tenant/2`).
fix: update to latest ash 2021-04-04 06:43:42 +12:00
feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			Just add `AshGraphql.Plug` somewhere _after_ that in the pipeline and the your
			`GraphQL APIs will have the correct authorization.`
fix: update to latest ash 2021-04-04 06:43:42 +12:00
feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			```elixir
			`defmodule MyAppWeb.Router do`
			`pipeline :api do`
			`# ...`
			`plug :get_actor_from_token`
			`plug AshGraphql.Plug`
			`end`
fix: update to latest ash 2021-04-04 06:43:42 +12:00
feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			`scope "/" do`
			`forward "/gql", Absinthe.Plug, schema: YourSchema`
fix: update to latest ash 2021-04-04 06:43:42 +12:00
feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			`forward "/playground",`
			`Absinthe.Plug.GraphiQL,`
			`schema: YourSchema,`
			`interface: :playground`
fix: update to latest ash 2021-04-04 06:43:42 +12:00			`end`

feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			`def get_actor_from_token(conn, _opts) do`
			`with ["" <> token] <- get_req_header(conn, "authorization"),`
fix: update to latest ash 2021-04-04 06:43:42 +12:00			`{:ok, user, _claims} <- MyApp.Guardian.resource_from_token(token) do`
feat(AshGraphql.Plug): Support standard actor/tenant configuration. (#43) 2022-10-31 10:49:24 +13:00			`conn`
			`\|> set_actor(user)`
			`else`
			`_ -> conn`
fix: update to latest ash 2021-04-04 06:43:42 +12:00			`end`
			`end`
			`end`
			```
feat: add policy breakdowns option (#35) 2022-05-25 08:42:40 +12:00
			`## Policy Breakdowns`

			By default, unauthorized requests simply return `forbidden` in the message. If you prefer to show policy breakdowns in your GraphQL errors, you can set the config option:

			```elixir
			`config :ash_graphql, :policies, show_policy_breakdowns?: true`
			```

			```json
			`{`
			`"data": {`
			`"attendanceRecords": null`
			`},`
			`"errors": [`
			`{`
			`"code": "forbidden",`
			`"fields": [],`
			`"locations": [`
			`{`
			`"column": 3,`
			`"line": 2`
			`}`
			`],`
			`"message": "MyApp.Authentication.User.read\n\n\n\n\nPolicy Breakdown\n Policy \| ⛔:\n forbid unless: actor is active \| ✓ \| ⬇ \n authorize if: actor is Executive \| ✘ \| ⬇",`
docs: documentation overhaul 2024-05-02 07:59:26 +12:00			`"path": ["attendanceRecords"],`
feat: add policy breakdowns option (#35) 2022-05-25 08:42:40 +12:00			`"short_message": "forbidden",`
			`"vars": {}`
			`}`
			`]`
			`}`
			```

			`Be careful, as this can be an attack vector in some systems (i.e "here is exactly what you need to make true to do what you want to do").`
improvement: add `nullable_fields?` for easily marking fields as nullable test: update tests to use this to illustrate field policy behavior 2024-07-02 01:23:16 +12:00
			`## Field Policies`

			Field policies in AshGraphql work by producing a `null` value for any forbidden field, as well as an error in the errors list.

			`> ### nullability {: .warning}`
			`>`
			> Any fields with field policies on them should be nullable. If they are not nullable, the _parent_ object will also be `null` (and considered in an error state), because `null` is not a valid type for that field.

			To make fields as nullable even if it is not nullable by its definition, use the `nullable_fields` option.

			```elixir
			`graphql do`
			`type :post`

			`nullable_fields [:foo, :bar, :baz]`
			`end`
			```