使用prisma和postgres的行级安全 [英] Row level security using prisma and postgres
问题描述
我正在使用带有postgres DB的prisma和Yoga graphql服务器。
I am using prisma and yoga graphql servers with a postgres DB.
我想为我的graphql查询实现授权。我看到了像 graphql-shield 这样的解决方案,它解决了列级安全性很好-表示我可以定义一个权限,并根据该权限阻止或允许特定的数据表或数据列(以graphql的方式,阻止整个实体或特定的字段)。
I want to implement authorization for my graphql queries. I saw solutions like graphql-shield that solve column level security nicely - meaning I can define a permission and according to it block or allow a specific table or column of data (on in graphql terms, block a whole entity or a specific field).
我遇到的问题是行级别安全性-根据行包含的数据过滤行-说我想允许登录用户执行以下操作仅查看与他相关的数据,因此根据user_id列中的值,我将允许或阻止对该行的访问(登录的用户是一个示例,但此类型中还有其他用例)。
The part I am stuck on is row level security - filtering rows by the data they contain - say I want to allow a logged in user to view only the data that is related to him, so depending on the value in a user_id column I would allow or block access to that row (the logged in user is one example, but there are other usecases in this genre).
这种类型的安全性要求运行查询以检查当前用户可以访问的行,而我找不到用方言实现该方法的方法(这并不可怕)。
This type of security requires running a query to check which rows the current user has access to and I can't find a way (that is not horrible) to implement this with prisma.
如果我在没有pyramida的情况下工作,则可以在ea级别上实现ch解析器,但是由于我将查询转发到了prisma,所以我不控制嵌套查询的内部解析器。
If I was working without prisma, I would implement this in the level of each resolver but since I am forwarding my queries to prisma I do not control the internal resolvers on a nested query.
但是我确实想使用prisma,所以一个想法我们曾经在数据库级别使用postgres policy 处理此问题。可以这样进行操作:
But I do want to work with prisma, so one idea we had was handling this in the DB level using postgres policy. This could work as follows:
- 我们运行的每个查询都会被开始交易和提交交易包围
- 在查询之前,我要运行将local context.user_id设置为5
- 然后,我要运行查询(该策略将根据current_setting('context.user_id'))
要使此功能正常运行,我需要prisma允许我添加前/后查询
For this to work I would need prisma to allow me to either add pre/post queries to each query that runs or let me set a context for the db.
但是这些选项在pyramida中不可用。
But these options are not available in prisma.
有什么想法吗?
推荐答案
您可以使用 prisma-client 而不是具约束力。
具有具约束力,您定义顶级解析器,然后委派给prisma 进行所有嵌套。
With prisma-binding, you define the top level resolver, then delegates to prisma for all the nesting.
另一方面, prisma-client 仅返回标量值类型,并且您需要定义关系的解析器。这意味着您可以完全控制返回的内容,即使是嵌套查询也是如此。 (请参见文档为例)
On the other hand, prisma-client only returns scalar values of a type, and you need to define the resolvers for the relations. Which means you have complete control on what you return, even for nested queries. (See the documentation for an example)
我建议您使用 prisma-client 在字段上应用您的安全过滤器。
I would suggest you use prisma-client to apply your security filters on the fields.
这篇关于使用prisma和postgres的行级安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
