authorization icon indicating copy to clipboard operation
authorization copied to clipboard
verified publisher icon graphql-dotnet

IAuthorizationRequirement is not sent the same variable names as those in IResolveField context

Open JRDrummond opened this issue 5 years ago • 2 comments

Take the following AuthorizationRequirement:

namespace GraphQLNet.AuthRequirements
{
	public class IsSelf : IAuthorizationRequirement
	{
		public Task Authorize(AuthorizationContext context)
		{
			var user = context.User;
			object idArg;
			if (context.InputVariables.TryGetValue("userID", out idArg) 
				&& user.HasClaim(c => c.Type == "ID" && c.Value == idArg.ToString()) 
				|| user.IsInRole(Roles.Admin))
			{
				return Task.CompletedTask;
			};

			context.ReportError("You cannot access private fields of another user.");

			return Task.CompletedTask;
		}
	}
}

It can be defeated with the following query:

query users($user: String) {
  users(id: $user) {
	id
	privateStuff // Secured with IsSelf
  }
}
//Variables:
{
	"userID": "myUserID",
	"user": "someoneElse'sUserID"
}

This is because AuthorizationContext.InputVariables accesses the variables object whereas IResolveFieldContext.GetArgument<>() accesses variables from the query arguments, whose names are defined by the schema.

As it stands now, there is no way to secure fields based on what arguments are allowed to be passed in. In fact, as shown above, there is no point in securing the variables object's key names since any other variable name can be passed in as a query argument.

Resolution:

Pass IResolveFieldContext.Arguments as AuthorizationContext.Arguments into IAuthorizationRequirement.Authorize.

This only makes sense as AuthorizationRequirements are supposed to define authorization for fields, therefore, they should look at the same context that they are securing.

JRDrummond avatar Apr 12 '21 14:04 JRDrummond

Some thoughts:

  1. Probably this was fixed in #179
  2. What version do you use? I see InputVariables. In master I see Inputs.

This is because AuthorizationContext.InputVariables accesses the variables object whereas IResolveFieldContext.GetArgument<>() accesses variables from the query arguments, whose names are defined by the schema.

Sorry, I don't understand.

This only makes sense as AuthorizationRequirements are supposed to define authorization for fields, therefore, they should look at the same context that they are securing.

Policies (policy is a named set of 1 or more AuthorizationRequirements) may be applied on any IProvideMetadata object namely: input type, object type, object field, input objet field, etc. What do you mean same context?

sungam3r avatar Dec 11 '21 22:12 sungam3r

Hi @JRDrummond , I just came across this issue. I'm working on implementing something similar as stated in your "Resolution". I was wondering how you were accessing the IResolveFieldContext.Arguments in your AuthorizationEvaluator? This would greatly help me, Thanks in advance.

alexistamand avatar Jan 28 '22 19:01 alexistamand