Skip to content

gateway-hooks

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

gateway-hooks

README.md

Gateway hooks example

In this example we will use the gateway hooks to change the behavior of the gateway. This repository contains the following:

  • subgraph: a GraphQL server exposing a few users
  • auth-service: a HTTP service imitating an authorization endpoint to grant access to some data.
  • federated-schema.graphql: the federated GraphQL schema generated with the subgraph.
  • grafbase.toml: the configuration for the Grafbase Gateway`

Setup

Dependencies

To run this example, you need the Grafbase Gateway version 0.4.0 or later, read more how to install it from:

https://grafbase.com/docs/self-hosted-gateway

Additionally, the following tools are needed:

  • A C compiler, such as clang together with pkg-config (install based on your system, cc command is required)
  • If on Linux, cargo-component depends on OpenSSL (libssl-dev on Debian)
  • Rust compiler (install docs)
  • Cargo component (install docs)
  • A GraphQL client, such as Altair

For the advanced users using nix with flakes support:

nix develop

Running the example

First, start the subgraph in one terminal:

cd subgraph
cargo run --release

Then the authorization service:

cd auth-service
cargo run --release

Next compile the WebAssembly hook functions into a Wasm component in another terminal:

cd hooks
cargo component build --release

After a successful build, the Wasm component should be located at target/wasm32-wasip1/release/demo_hooks.wasm.

Finally start the grafbase-gateway:

grafbase-gateway --schema federated-schema.graphql --config grafbase.toml

Now you are ready to send queries!

Design

The hooks implement the following authorization rules:

  1. An user with id N can see all users with an ID equal or inferior to N: User 3 can see users 1, 2 and 3 but not 4
  2. An admin can see the list of all users (header x-role: admin)
  3. The address is only available to the user himself

The header x-current-user-id determines the current user id and x-role defines the role.

Examples

Can not access any user data:

curl -X POST http://127.0.0.1:5000/graphql \
    --data '{"query": "query { user(id: 1) { name } }"}' \
    -H 'Content-Type: application/json'

Can access one's own data:

curl -X POST http://127.0.0.1:5000/graphql \
    --data '{"query": "query { user(id: 3) { name address { street } } }"}' \
    -H 'Content-Type: application/json' \
    -H 'x-current-user-id: 2'

Can access user name from 1 & 2, but not 3 & 4, and only its own address:

curl -X POST http://127.0.0.1:5000/graphql \
    --data '{"query": "query { users { name address { street } } }"}' \
    -H 'Content-Type: application/json' \
    -H 'x-current-user-id: 2'

Can access all user names, but only its own address:

curl -X POST http://127.0.0.1:5000/graphql \
    --data '{"query": "query { users { name address { street } } }"}' \
    -H 'Content-Type: application/json' \
    -H 'x-current-user-id: 2' \
    -H 'x-role: admin'