Automatic ID resolver generators too tightly coupled to RAD Authorization

Question

Automatic ID resolver generators too tightly coupled to RAD Authorization

Closed this issue 4 years ago · 3 comments

I'm working on RAD authorization for my project, and I've noticed that the built-in RAD Auth is depended upon by the Datomic/Cloud automatic ID resolver generators, namely here and here.

This is a bit unfortunate, because it "blesses" RAD's authorization implementation with no means to work around it.

I'm wondering if this is still necessary following the work done by @tylernisonoff in #10, which adds generic transform capability. It seems likely that RAD's redact routine could be moved out into a transform, and could then be opted into/out of at will by library users.

I'm willing to make this change, but I want to make sure I'm not missing something obvious.

Thanks for taking a look.

Answer 1 · 2021-04-03T19:29:49.000Z

So, there is a do/wrap-resolve (it was there but undocumented) that can be used to transform the autogenerated resolvers.

So, something like:

(def all-attributes (mapv 
                                  wrap-my-special-transform
                                  list-of-attributes))

is possible.

Is that sufficient, or should we consider something else?

Answer 2 · 2021-04-03T19:31:09.000Z

And yes, RAD's auth is definitely not meant to be there still (in db adapter)...should be deprecated at best.

Answer 3 · 2021-04-03T19:39:07.000Z

I'm currently working on generalizing RAD's authorization, and am building on a lot of what exists already (only minor changes so far). What's there is a great start in my opinion.

So, something like...is possible

Yeah that's what I'm currently doing in my authorization work. You can put it right into the parser constructor next to the other pathom plugins.

(defstate parser
  :start
  (pathom/new-parser config
    [(attr/pathom-plugin all-attributes)
     (form/pathom-plugin save/middleware delete/middleware)
     (datomic/pathom-plugin (fn [_env] {:production (:main datomic-connections)}))
     (blob/pathom-plugin bs/temporary-blob-store {:files         bs/file-blob-store
                                                  :avatar-images bs/image-blob-store})]
    auth/pathom-plugin
    [
     automatic-resolvers
     form/resolvers
     (blob/resolvers all-attributes)
     index-explorer
     ,,,
     (auth/generate-authorization-resolvers all-attributes)]))

RAD's auth is definitely not meant to be there still

I'll open a PR with it yanked.