Super user (root user) that can access everything

Question

Super user (root user) that can access everything

anasbarg opened this issue 4 years ago · 1 comments

I was thinking about adding a @superuser directive which works just like @user but it creates a root user for every model annotated with it where the value of the password field (or any field in that model annotated with @secretCredential) is the ROOT_SECRET environment variable.

Example:

@superuser
@1 model Admin {
  @1 username: String @primary @publicCredential
  @2 password: String @secretCredential
}

This will create a user model called Admin and you'll be able to login as root if you know the value of ROOT_SECRET environment variable:

mutation {
  Admin {
    login(username: "root", password: "<VALUE OF ROOT_SECRET>")
  }
}

and this mutation will return a JWT that allows you to do everything an Admin can do. Of course you'd have to define the permissions of the Admin role:

role Admin {
  allow ALL Any
}

Note: The Any syntax is not yet implemented but should be avialable soon. Checkout #64

Or maybe we can have this as the default permission for @superuser models, and you can then override it if you want.

Answer 1 · 2020-11-20T21:40:50.000Z

A simpler solution would be adding a command like pragma root-token <secret> and this will generate a JWT of this shape when decoded:

{
  "role": "__root__",
  "userId": "__root__"
}

And this can be used to do anything.

This makes sense because if you know the secret with which the app is deployed, you should be able to have access to everything.