"Not Authorised!"

Question

"Not Authorised!"

enbermudas opened this issue 4 years ago · comments

Sanic commented 4 years ago

Bug report

I have checked other issues to make sure this is not a duplicate.

Describe the bug

I know that there is a pinned issue with this exact error message, but my problem is quite different.

I'm trying to use my isAdmin rule on a mutation called userCreate.

The problem is that even though the comparision of the roleId property in the user against the id property from the administrator role returns true, the mutation is giving me an error with the message: "Not Authorised!".

So, if I am returning true (tested with a console log by activating the apollo-server debug option), why is this happening?

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

This is my GraphQL Schema.

import { gql } from 'apollo-server';

const typeDefs = gql`
  type User {
    id: ID!
    roleId: ID!
    username: String!
    email: String!
    password: String!
    createdAt: String!
    updatedAt: String!
    threads: [Thread]
    replies: [Reply]
  }

  type Thread {
    id: ID!
    authorId: ID!
    title: String!
    body: String!
    createdAt: String!
    updatedAt: String!
    author: User!
    participants: [User]
    replies: [Reply]
  }

  type Reply {
    id: ID!
    authorId: ID!
    threadId: ID!
    body: String!
    createdAt: String!
    updatedAt: String!
    author: User!
    thread: Thread!
  }

  type Query {
    # Auth
    current: User!

    # User
    user(id: ID!): User!
    users: [User!]!

    # Thread
    thread(id: ID!): Thread!
    threads: [Thread!]!

    # Reply
    reply(id: ID!): Reply!
    replies: [Reply!]!
  }

  # ================================================================================ MUTATIONS

  type Mutation {
    # Auth
    register(username: String!, email: String!, password: String!): User!
    login(username: String!, password: String!): LoginResponse!

    # User
    userCreate(username: String!, email: String!, password: String!): User!

    # Thread
    threadCreate(authorId: ID!, title: String!, body: String!): Thread!

    # Reply
    replyCreate(authorId: ID!, threadId: ID!, body: String!): Reply!
  }

  # ================================================================================ RESPONSES

  # Auth
  type LoginResponse {
    token: String
    user: User
  }
`;

export default typeDefs;

This is the invoked query

const isAdmin = rule({ cache: 'contextual' })(
  async (parent, args, ctx, info) => {
    const role = await Role.findOne({ slug: 'administrator' });
    return ctx.user.roleId === role.id;
  }
);

I use these permissions

const permissions = shield({
  Query: {},
  Mutation: {
    // Auth
    login: not(isAuthenticated),
    register: not(isAuthenticated),

    // User
    userCreate: isAdmin,

    // Thread
    threadCreate: isAuthenticated,

    // Reply
    replyCreate: isAuthenticated
  }
});

This is the error I see

{
  "errors": [
    {
      "message": "Not Authorised!",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "userCreate"
      ],
      "extensions": {
        "code": "INTERNAL_SERVER_ERROR",
        "exception": {
          "stacktrace": [
            "Error: Not Authorised!",
            "    at normalizeOptions (/home/kike/prs/projects/rpbb/node_modules/graphql-shield/src/shield.ts:34:7)",
            "    at shield (/home/kike/prs/projects/rpbb/node_modules/graphql-shield/src/shield.ts:52:29)",
            "    at Object.<anonymous> (/home/kike/prs/projects/rpbb/src/server/config/shield.js:27:21)",
            "    at Module._compile (internal/modules/cjs/loader.js:774:30)",
            "    at Module._compile (/home/kike/prs/projects/rpbb/node_modules/pirates/lib/index.js:99:24)",
            "    at Module._extensions..js (internal/modules/cjs/loader.js:785:10)",
            "    at Object.newLoader [as .js] (/home/kike/prs/projects/rpbb/node_modules/pirates/lib/index.js:104:7)",
            "    at Module.load (internal/modules/cjs/loader.js:641:32)",
            "    at Function.Module._load (internal/modules/cjs/loader.js:556:12)",
            "    at Module.require (internal/modules/cjs/loader.js:681:19)",
            "    at require (internal/modules/cjs/helpers.js:16:16)",
            "    at Object.<anonymous> (/home/kike/prs/projects/rpbb/src/server/config/apollo.js:5:1)",
            "    at Module._compile (internal/modules/cjs/loader.js:774:30)",
            "    at Module._compile (/home/kike/prs/projects/rpbb/node_modules/pirates/lib/index.js:99:24)",
            "    at Module._extensions..js (internal/modules/cjs/loader.js:785:10)",
            "    at Object.newLoader [as .js] (/home/kike/prs/projects/rpbb/node_modules/pirates/lib/index.js:104:7)"
          ]
        }
      }
    }
  ],
  "data": null
}

Expected behavior

Get the id and username in the mutation response after inserting the user in the MongoDB users collection.

Actual behaviour

Returns an "Not Authorised!" error message.

Additional context

N/A

Matic Zavadlal · Answer 1 · Wed May 06 2020 14:58:18 GMT+0800 (China Standard Time)

Hey,
As you mentioned, this is a duplicate. You have to allow User as well as payloads to get the correct result. I am confident that mutation is executed as expected, and Shield only blocks the return value.

Please refer to the other issue otherwise.