rumble: When drizzle, pothos (GraphQL) and abilities go hand in hand!

[m1212e]

Hi, I made rumble. It's a wrapper around a few concepts (mainly abilities in combination with drizzle and pothos) which I really like and found useful while building GraphQL APIs.

It heavily relies on drizzle and the drizzle schema to make the stuff work it can do, and since drizzle provides strong types with everything, rumble does that too!

Abilities

Inspired by CASL and its Prisma plugin, rumble lets you define abilities on an ability builder. Abilities are nothing more than filter objects for the drizzle query API. Remember how you can restrict certain things from being returned when passing a eq(...) to a findMany call? Why not use this for defining the permissions for various entities in you application? From the example:

// users can edit themselves
abilityBuilder.users
 .allow(["read", "update", "delete"])
 .when(({ userId }) => ({ where: eq(schema.users.id, userId) }));

// everyone can read posts
abilityBuilder.posts.allow("read");

// only the author can update posts
abilityBuilder.posts
 .allow(["update", "delete"])
 .when(({ userId }) => ({ where: eq(schema.posts.authorId, userId) }));

With rumble, you can use the drizzle query API to write down the things people can do and under which conditions they can do that. Later when we want to actually enforce the permissions we can do something like this:

await db
 .update(schema.users)
 .set({
  name: args.newName,
 })
 .where(
  and(
   eq(schema.users.id, args.userId),
   ctx.abilities.users.filter("update").where,
  ));

When integrating with pothos (a very cool and easy to use GraphQL builder), a query with restrictions applied might look like this:

schemaBuilder.queryFields((t) => {
 return {
  findManyPosts: t.drizzleField({
   type: [PostRef],
   resolve: (query, root, args, ctx, info) => {
    return db.query.posts.findMany(
     // here we again apply out filters based on the defined abilities
     query(ctx.abilities.users.filter("read")),
    );
   },
  }),
 };
});

See how we use the abilities from our context to inject the filter into the query.

Helpers

Since writing the resolvers, objects, args etc. all with permissions applied properly can be a bit tedious, rumble offers some helpers to do that for you. Defining objects, their relations and properly restricting access has never been easier:

const UserRef = object({
 // name of the table you want to implement 
 tableName: "users"
});

query({
 tableName: "users",
});

The above code adds a findFirstUsers and findManyUsers field to your root query, equips them with proper filters so you can decide on what you want returned when querying, applies the ability filters and implements all relations via the pothos drizzle plugin. The following query is possible by performing the two calls above (assuming you implemented the post object either through helpers or manually, and of course properly configuring your abilities!):

query MyQuery {
  findFirstUsers(where: {
    posts: {
      author: {
        id: 2
      }
    }
  }) {
    id
    mood
    name
    posts {
      content
      id
    }
  }
}

Subscriptions

The cherry on top: All rumble helpers support subscriptions via the pothos smart subscription plugin out of the box. Get the reference from the rumble helper:

const { updated: updatedUser, created: createdUser } = pubsub({
 tableName: "users",
});

Now just make sure you call the created/updated/removed functions for the appropriate table and you are good to go!

If you want to learn more about how rumble works, please see the repo or the example for more!

Thanks for reading! If you have any questions, feel free to open an issue/discussion in the repo or just ask here!