How to authorize based on an id for an entity over multiple resolvers?

[MrEbbinghaus]

I am sure this has been discussed at least once on Slack, but here I am again.

Imagine you have the following models:
A Group has Posts and a Post has Comments. (:group/id, :post/id, :comment/id)
You can only see posts or comments if you are part of a group.
Now each of these models has several attributes spread over several resolvers.

How would you implement authorization across multiple resolvers?

The naive solution

(defresolver resolve-no-of-commenters [{:keys [user]} {:post/keys [id]}]
   {::pc/input #{:post/id}
    ::pc/output [:post/no-of-commenters]}
   (when (authorized-to-access? user {:post/id id})
     {:post/no-of-commenters (get-no-of-commenters {:post/id id})}))

Adding a check to each resolver.
This leads to too much redundant code and checks. So not a good solution.

Translate external keys to internal ones

It would be better to make the check if a user can access any resolver with a posts id as input once, with something like this:

(defresolver post-gate [{:keys [user]} {:post/keys [id]}]
 {::pc/input #{:post/id}
  ::pc/output [:INTERNAL.post/id]}
 (when (authorized? user {:post/id id})
   {:INTERNAL.post/id id}))

(defresolver resolve-no-of-commenters [{:keys [user]} {:INTERNAL.post/keys [id]}]
  {::pc/input #{:INTERNAL.post/id}
   ::pc/output [:post/no-of-commenters]}
  {:post/no-of-commenters (get-no-of-commenters {:post/id id})}))

(You would allow the key :authorized-post only internally and remove it from incoming queries.)

This is also good, because it could pass down authorization to children nodes, skipping the authorization for them.

(defresolver resolve-group-posts [{:keys [user]} {:group/keys [id]}]
   {::pc/input #{:group/id}
    ::pc/output [{:group/posts [:post/id :INTERNAL.post/id]}]}
    (when (authorized? user {:group/id id})
      (for [{post-id :post/id} (get-posts {:group/id id}]
        {:INTERNAL.post/id post-id
         :post/id post-id})))

But: This is really tedious to write, and it would be better if this was opaque.

---

Now to my questions:
Is there a way to implement such... "gates" ... in pathom?

Should I keep all authorized ids in the env?
Can I write a plugin, that does this? When an id appears for the first time and isn't in the env, check if the user is authorized? If not, stop that part of the query. If authorized, continue and add to the env?

Is this a use case for the request cache?

I am quite lost on how to do that nicely.

[tylernisonoff]

Have you considered using pc/transform here? This discussion post has some ideas for implementing auth with pathom.

[MrEbbinghaus]

Uhh... didn't know about souenzzo/eql-style-guide I will look into it.

pc/transform works on a resolver level. So sure, it can be used, but if there is a better solution… like a plugin, where I can say: "When you encounter :post/id, then authorize it first before calling the resolver" I would prefer that.