Description
Take the following AuthorizationRequirement:
namespace GraphQLNet.AuthRequirements
{
public class IsSelf : IAuthorizationRequirement
{
public Task Authorize(AuthorizationContext context)
{
var user = context.User;
object idArg;
if (context.InputVariables.TryGetValue("userID", out idArg)
&& user.HasClaim(c => c.Type == "ID" && c.Value == idArg.ToString())
|| user.IsInRole(Roles.Admin))
{
return Task.CompletedTask;
};
context.ReportError("You cannot access private fields of another user.");
return Task.CompletedTask;
}
}
}
It can be defeated with the following query:
query users($user: String) {
users(id: $user) {
id
privateStuff // Secured with IsSelf
}
}
//Variables:
{
"userID": "myUserID",
"user": "someoneElse'sUserID"
}
This is because AuthorizationContext.InputVariables accesses the variables object whereas IResolveFieldContext.GetArgument<>() accesses variables from the query arguments, whose names are defined by the schema.
As it stands now, there is no way to secure fields based on what arguments are allowed to be passed in. In fact, as shown above, there is no point in securing the variables object's key names since any other variable name can be passed in as a query argument.
Resolution:
Pass IResolveFieldContext.Arguments as AuthorizationContext.Arguments into IAuthorizationRequirement.Authorize.
This only makes sense as AuthorizationRequirements are supposed to define authorization for fields, therefore, they should look at the same context that they are securing.