GraphQL-Authz is a Python port of GraphQL-Authz, the Casbin authorization middleware implementation in Node.js.
This package should be used with GraphQL-core 3, providing the capability to limit access to each GraphQL resource with the authorization middleware.
Install the package using pip.
pip install casbin-graphql-authz
Limit the access to each GraphQL resource with a policy. For example, given this policy for an RBAC model:
p, authorized_user, hello, query
Authorization can be enforced using:
import casbin from authz.middleware import enforcer_middleware from graphql import ( graphql_sync, GraphQLSchema, GraphQLObjectType, GraphQLField, GraphQLString, ) schema = GraphQLSchema( query=GraphQLObjectType( name="RootQueryType", fields={ "hello": GraphQLField( GraphQLString, resolve=lambda obj, info: "world") })) enforcer = casbin.Enforcer("model_file.conf", "policy_file.csv") authorization_middleware = enforcer_middleware(enforcer) query = """{ hello }""" # Authorized user ("authorized_user") has access to data response = graphql_sync( schema, query, middleware=[authorization_middleware], context_value={"role": "authorized_user"} ) assert response.data == {"hello": "world"} # Unauthorized users ("unauthorized_user") are rejected response = graphql_sync( schema, query, middleware=[authorization_middleware], context_value={"role": "unauthorized_user"} ) assert response.errors[0].message == "unauthorized_user can not query hello"
For more interesting scenarios see tests folder.
Implementation was heavily inspired by the Node.js middleware GraphQL-Authz.
Authorization enforcement is based on Casbin authorization library.
