graphql - 在 Nestjs 中使用 graphql 进行授权

Question

我已经开始学习 Nestjs、express 和 graphql。我在尝试授权使用 jwt 令牌进行身份验证的用户访问时遇到问题。我按照Nestjs 网站上的身份验证教程进行操作。我能够获取当前用户，但是当我尝试实现基本角色基础访问控制时，我无法在 canActivate 方法中访问当前用户。我认为这是因为 Roles Guard 在 Graphql Guard 之前执行。

我将在这里发布代码

gql-auth.guard.ts

import { ExecutionContext } from "@nestjs/common";
import { GqlExecutionContext } from "@nestjs/graphql";
import { AuthGuard } from "@nestjs/passport";

export class GqlAuthGuard extends AuthGuard("jwt") {
    getRequest(context: ExecutionContext) {
        const ctx = GqlExecutionContext.create(context);
        console.log("gql simple context: ", context);
        console.log("gqlContext: ", ctx.getContext());
        return ctx.getContext().req;
    }
}

角色.guard.ts

import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
import { Reflector } from "@nestjs/core";
import { GqlExecutionContext } from "@nestjs/graphql";

@Injectable()
export class RolesGuard implements CanActivate {
    constructor(private reflector: Reflector) {}

    canActivate(context: ExecutionContext) {
        const roles = this.reflector.get<string[]>("roles", context.getHandler());
        const ctx = GqlExecutionContext.create(context);
        console.log("roles: ", roles);
        console.log("context: ", context.switchToHttp().getRequest());
        console.log("gqlContext: ", ctx.getContext().req);

        return true;
    }
}

jwt.strategy.ts

import { Injectable } from "@nestjs/common";
import { PassportStrategy } from "@nestjs/passport";
import { ExtractJwt, Strategy } from "passport-jwt";
import { jwtConstants } from "../constants";

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
    constructor() {
        super({
            jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
            ignoreExpiration: false,
            secretOrKey: jwtConstants.secret,
        });
    }

    validate(payload: any) {
        console.log("payload: ", payload);

        return payload;
    }
}

解析器

@UseGuards(GqlAuthGuard)
@Roles("ADMIN")
@UseGuards(RolesGuard)
@Query((returns) => [Specialty], { nullable: "itemsAndList", name: "specialties" })
async getSpecialties(@Args() params: FindManySpecialtyArgs, @Info() info: GraphQLResolveInfo) {
    const select = new PrismaSelect(info).value;
    params = { ...params, ...select };
    return this.prismaService.specialty.findMany(params);
}

有没有人成功实施过这个？

Answer 1

您应该在同一个@UseGuards()装饰器中使用两个警卫。喜欢@UseGuards(GqlAuthGuard, RolesGuard)。Nest 将按顺序运行这些程序而不会出现问题。

Answer 2

export const Authorize = (roles?: string | string[]) =>
  applyDecorators(
    SetMetadata('roles', [roles].flat()),
    UseGuards(GqlAuthGuard, RolesGuard),
  );

@Authorize("ADMIN")
@Query((returns) => [Specialty], { nullable: "itemsAndList", name: "specialties" })
async getSpecialties(@Args() params: FindManySpecialtyArgs, @Info() info: GraphQLResolveInfo) {
    const select = new PrismaSelect(info).value;
    params = { ...params, ...select };
    return this.prismaService.specialty.findMany(params);
}

Answer 3

完整的授权码 Graphql 和 NestJs：

@Injectable()
export class RolesGuard_ implements CanActivate {
  constructor(private reflector: Reflector) {}

  canActivate(context: ExecutionContext): boolean {
    const ctx = GqlExecutionContext.create(context);

    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
      context.getHandler(),
      context.getClass(),
    ]);

    if (!requiredRoles) {
      return true;
    }

    const { user } = ctx.getContext().req;
    return requiredRoles.some((role) => user.role?.includes(role));
  }
}