Authorization PR

.gitignore

@@ -6,3 +6,7 @@ dev.sqlite3
 db
 ./output
 dist
+log/all-logs-readable.log
+yarn-error.log
+bin/test-model-generator.js
+

README.md

@@ -115,7 +115,8 @@ type User {
 }
 ```
 
-You could update the generated `CreateUserInput` input object to take a `password` field:
+The generator automatically adjusts your schema and code in the following way:
+It adjusts the generated `CreateUserInput` input object to take a `password` field:
 
 ```graphql
 input CreateUserInput {
@@ -125,7 +126,7 @@ input CreateUserInput {
 }
 ```
 
-And then update the generated `User` model to hash that password and store it:
+And in updates the generated `User` model to hash that password and store it:
 
 ```js
 import bcrypt from 'bcrypt';
@@ -151,7 +152,112 @@ class User {
 }
 ```
 
-### Client side code
+So the "User" type is treated differently as any other default type.
+
+## Authorization
+
+create-graphql-server can also handle authorizations. There are two ways to control authorizations:
+* Authorization by User-Roles
+* Authorization by Document-Roles
+
+**User-Roles** are stored in the User type. They group a number of users together, having all the same authorizations, defined with their role they play. Use it to define a user as a "super-administrator", "administrator", "publisher", "editor" or a "default-user". You are free to define your own names and numbers of User-Roles.
+
+**Document-Roles** are stored in document fields which are referencing a User._id. They are there, to define fine grained authorizations for individual documents based on single user level. Use it to define an "owner", "creator", author" or "coauthor" of a document. Define the authorization they are allowed to do with this specific document. Here, the userId will be stored in the corresponding document field instead. If a user wants the specific authorization, it is tested, if this userId is stored in the document, if so, he gains access, if not, it is not allowed.
+
+You can combine both models to define your authorization logic.
+
+Add authorization logic by using a simple @authorize directive within your type definition. Use the following syntax:
+```javascript
+type ...
+@authorize(
+  <role1>: [<list of authorizations>]
+  <role2>: [<list of authorizations>]
+  <role3>: [<list of authorizations>]
+)
+...
+<fieldname1>: String @authRole("<role1>")   // User-Role: Stores the Role name in the User type
+<fieldname2>: User @authRole("<role2>")     // Document-Role: Stores Single UserId
+<fieldname3>: [User] @authRole("<role3>")   // Document-Role: Stores Multiple UserIds
+...
+```
+
+A \<role\> can be any name, you want to use for, to describe the authorizations of a group of users. A user can be assigned this \<role\> in a user type of any \<fieldname\>. You have to mark the relevant field name with the directive @authRole("\<role\>").
+
+A list of authorizations can be:
+* create: role is authorized to create a record of this type.
+* read: role is authorized to readOne and readMany of this type.
+	* readOne: role is authorized to only readOne of this type.
+	* readMany: role is authorized to readMany of this type.
+* update: role is authorized to update a record of this type.
+* delete: role is authorized to delete a record of this type.
+
+You can add any number of roles within a @authorize directive.
+
+There is one pre-defined User-Role called "world". The world role includes all users, signed-in and not signed-in anonymous users. Use this role to define an authorization-list valid for all users.
+
+#### Example on type User
+```javascript
+type User
+
+@authorize(
+  admin: ["create", "read", "update", "delete"]  // User-Role
+  this: ["read", "update", "delete"]             // Document-Role
+)
+
+{
+  role: String @authRole("admin") 
+  username: String!
+
+  bio: String
+  notify: Boolean
+
+  tweets(minLikes: Int): [Tweet!] @hasMany(as: "author")
+  liked: [Tweet!] @belongsToMany
+
+  following: [User!] @belongsToMany
+  followers: [User!] @hasAndBelongsToMany(as: "following")
+}
+```
+
+#### Example on type Tweet
+
+```javascript
+type Tweet 
+
+@authorize(
+  admin: ["create", "read", "update", "delete"],   // User-Role
+  world: ["read"]                                  // User-Role
+  author: ["create", "read", "update", "delete"],  // Document-Role
+  coauthors: ["read", "update"],                   // Document-Role
+)
+
+{
+  author: User! @unmodifiable @belongsTo @authRole("author")
+  coauthors: [User] @belongsTo @authRole("coauthors")
+  body: String!
+
+  likers: [User!] @hasAndBelongsToMany(as: "liked")
+}
+```
+
+If you add these types with the create-graphql-server command-line-interface:
+```bash
+create-graphql-server add-type path/to/input.graphql 
+```
+
+It will add automatically the authorization code in the model/\<type\>.js files. Have a look into the generated code or in the test application: "test/output-app/model/User.js".
+
+You can manually change the code to protect also single fields of a type. Do it by the usage of this function:
+```javascript
+//                              userRole secretField document
+docToInsert = protectFields(me, ['admin'], ['role'], docToInsert, { User: this.context.User });
+```
+By this, only a User (me) with role "admin" is allowed to access the field "docToInsert.role". For any other user, this field is removed from the docToInsert during the protectFields run.
+
+## Example Implementation
+[Please have a look at the example implementation.](https://github.com/tmeasday/create-graphql-server/tree/master/test/output-app)
+
+## Client side code
 
 To create users, simply call your generated `createUser` mutation (you may want to add authorization to the resolver, feel free to modify it).
 

bin/create-graphql-server.js

@@ -92,7 +92,6 @@ function getFileUpdateList(inputSchemaFile, mode) {
     // provide a dummy type file just with the type name
     inputSchemaStr = `type ${adjustTypeName(inputSchemaFile)} {}`;
   }
-
   // generate code therefore in memory first
   const {
     typeName,

bin/gentest.js

@@ -0,0 +1,39 @@
+#!/usr/bin/env babel-node --inspect
+/* eslint-disable no-console */
+var exec = require('child_process').exec;
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import minimist from 'minimist';
+import generate from '../generate';
+
+const argv = minimist(process.argv.slice(2));
+const commands = argv._;
+const file = commands[0] || path.join('test', 'input', 'User.graphql');
+const targetDir = commands[1] || os.tmpdir();
+const inputSchemaStr = fs.readFileSync(file, 'utf8');
+const {
+  typeName,
+  TypeName,
+  outputSchemaStr,
+  resolversStr,
+  modelStr,
+} = generate(inputSchemaStr);
+
+console.log('\n\INPUT:\n\n', inputSchemaStr);
+console.log('\n\nSCHEMA:\n\n', outputSchemaStr);
+console.log('\n\MODEL:\n\n', modelStr);
+console.log('\n\RESOLVER:\n\n', resolversStr, '\n\n');
+writeFile(file, inputSchemaStr, '.input');
+writeFile(file, outputSchemaStr, '.graphql');
+writeFile(file, modelStr, '.model.js');
+writeFile(file, resolversStr, '.resolver.js');
+
+process.exit(0);
+
+function writeFile(file, data, type) {
+  const newPath = path.join(targetDir, path.basename(file, '.graphql') + type);
+  console.log('writing to file and opening file in sublime editor...', newPath);
+  fs.writeFileSync(newPath, data, 'utf8');
+  exec(`subl ${newPath}`);
+}

circle.yml

@@ -4,7 +4,6 @@ dependencies:
     - yarn:
         pwd: test/output-app
 
-
 test:
   pre:
     - npm start </dev/null &>/tmp/app-output:

generate/index.js

@@ -1,26 +1,23 @@
 // We are in an intermediate step where we aren't actually generating files
 // but we are generating code.
-
 import { parse, print } from 'graphql';
-
-import generateSchema from './schema';
-import generateResolvers from './resolvers';
-import generateModel from './model';
 import { lcFirst } from './util/capitalization';
+import generateModel from './model';
+import generateResolvers from './resolvers';
+import generateSchema from './schema';
 
 export default function generate(inputSchemaStr) {
   const inputSchema = parse(inputSchemaStr);
-
   const type = inputSchema.definitions[0];
   const TypeName = type.name.value;
-
+  const typeName = lcFirst(TypeName);
   const outputSchema = generateSchema(inputSchema);
   const outputSchemaStr = print(outputSchema);
   const resolversStr = generateResolvers(inputSchema);
   const modelStr = generateModel(inputSchema);
-
+  
   return {
-    typeName: lcFirst(TypeName),
+    typeName,
     TypeName,
     outputSchemaStr,
     resolversStr,

generate/model/index.js

@@ -1,107 +1,25 @@
-import fs from 'fs';
 import { print } from 'recast';
+import { templateToAst } from '../util/read';
+import getCode from '../util/getCode';
+import { MODEL } from '../util/constants';
+import { modulePath } from 'create-graphql-server-authorization';
 
-import { templateToAst } from '../read';
-import { lcFirst } from '../util/capitalization';
-import generatePerField from '../util/generatePerField';
-
-function read(name) {
-  return fs.readFileSync(`${__dirname}/templates/${name}.js.template`, 'utf8');
-}
-
-const templates = {
-  base: read('base'),
-  singularAssociation: read('singularAssociation'),
-  paginatedAssociation: read('paginatedAssociation'),
-};
-
-function buildAst(template, {
-  typeName,
-  fieldName,
-  argsStr,
-  ReturnTypeName,
-  query,
-}) {
-  const argsWithDefaultsStr = argsStr
-    .replace('lastCreatedAt', 'lastCreatedAt = 0')
-    .replace('limit', 'limit = 10');
-  return templateToAst(template, {
-    typeName,
-    fieldName,
-    argsStr: argsWithDefaultsStr,
-    ReturnTypeName,
-    query,
-  });
+export default function generateModel(inputSchema) {
+  const ast = generateModelAst(inputSchema);
+  return print(ast, { trailingComma: true }).code;
 }
 
-
-const generators = {
-  base({ typeName, TypeName }) {
-    return templateToAst(templates.base, { typeName, TypeName });
-  },
-  belongsTo(replacements) {
-    return buildAst(templates.singularAssociation, replacements);
-  },
-  belongsToMany(replacements) {
-    const { typeName, fieldName } = replacements;
-    return buildAst(templates.paginatedAssociation, {
-      ...replacements,
-      query: `_id: { $in: ${typeName}.${fieldName}Ids || [] }`,
-    });
-  },
-  // TODO: write test and implement
-  // hasOne({ typeName, fieldName, ReturnTypeName }, { as }) {
-  //   return templateToAst(templates.singularAssociation, {
-  //     typeName,
-  //     fieldName,
-  //     ReturnTypeName,
-  //   });
-  // },
-  hasMany(replacements, { as }) {
-    const { typeName } = replacements;
-    return buildAst(templates.paginatedAssociation, {
-      ...replacements,
-      query: `${as || typeName}Id: ${typeName}._id`,
-    });
-  },
-  hasAndBelongsToMany(replacements, { as }) {
-    const { typeName } = replacements;
-    return buildAst(templates.paginatedAssociation, {
-      ...replacements,
-      query: `${as || typeName}Ids: ${typeName}._id`,
-    });
-  },
-};
-
 export function generateModelAst(inputSchema) {
-  const type = inputSchema.definitions[0];
-  const TypeName = type.name.value;
-  const typeName = lcFirst(TypeName);
-
-  const ast = generators.base({ TypeName, typeName });
 
-  // XXX: rather than hardcoding in array indices it would be less brittle to
-  // walk the tree using https://github.com/benjamn/ast-types
-  const classMethodsAst = ast.program.body[2] // export
-    .declaration // class declaration
-    .body.body;
-
-  const findOneMethod = classMethodsAst.find(m => m.key.name === 'all');
-  let nextIndex = classMethodsAst.indexOf(findOneMethod) + 1;
-
-
-  generatePerField(type, generators).forEach((resolverFunctionAst) => {
-    const classMethodAst = resolverFunctionAst.program.body[0] // class declaration
-      .body.body[0]; // classMethod
-
-    classMethodsAst.splice(nextIndex, 0, classMethodAst);
-    nextIndex += 1;
+  const templateCode = getCode(MODEL, {
+    inputSchema,
+    basePath: [__dirname, 'templates'],
+    authPath: [modulePath, 'templates', 'model', 'auth']
   });
 
-  return ast;
-}
+  // validate syntax of generated template code
+  const replacements = {};
+  const ast = templateToAst(templateCode, replacements);
 
-export default function generateModel(inputSchema) {
-  const ast = generateModelAst(inputSchema);
-  return print(ast, { trailingComma: true }).code;
+  return ast;
 }

generate/model/templates/README.md

@@ -0,0 +1,12 @@
+In order to enable different authorization concepts,
+the templates with a specific and opinionated authorization concept
+are factored out, in a own npm module. You will find those templates
+in the following npm module:
+
+** node_modules/create-graphql-server-authorization/templates/auth **
+
+Please feel free to fork create-graphql-server-authorization
+and implement your own authorization concept there, or add your own
+templates here.
+
+