Q: How to do both Authentication & Authorization in Playground?

[Dev-Dipesh]

I have deployed the Prisma server locally in Docker with managementApiSecret and also defined it in prisma.yml. Now, there are two issues I'm facing.

1. Prisma server link http://localhost:4466 from Docker is accessible without setting any header. How can I secure that?

2. When Graphql Shield is disabled I can query documents on http://localhost:1337 by setting the Authorization header, obtained by using the command prisma token. The problem appears when I enable Graphql Shield. After this for any and all requests I'm getting:

"message": "Not Authorised!"

even for the resolvers that are marked as allow.

docker-compose.yml

version: '3'
services:
  prisma:
    image: prismagraphql/prisma:1.34
    restart: always
    ports:
    - "4466:4466"
    environment:
      PRISMA_CONFIG: |
        managementApiSecret: PRISMA_SECRET
        port: 4466
        databases:
          default:
            connector: mongo
            database: tcf
            uri: 'mongodb://host.docker.internal/admin'

prisma.yml

# The endpoint of your Prisma API (deployed to a Prisma Sandbox).
endpoint: ${env:PRISMA_ENDPOINT}

# The file containing the definition of your data model.
datamodel:
  - datamodel/users.prisma
  - datamodel/school.prisma
  - datamodel/member.prisma
  - datamodel/group.prisma
  - datamodel/curriculum.prisma
  - datamodel/pillar.prisma
  - datamodel/question.prisma
  - datamodel/scheduler.prisma
  - datamodel/userCurriculum.prisma
  - datamodel/userPillar.prisma
  - datamodel/personalSurvey.prisma
  - datamodel/score.prisma
  - datamodel/survey.prisma
  - datamodel/surveyGroup.prisma
  - datamodel/wblibrary.prisma
  - datamodel/otp.prisma

# Specifies the type of the database
databaseType: document

# Generate
generate:
  - generator: typescript-client
    output: ../src/generated/prisma-client/
  - generator: graphql-schema
    output: ../src/generated/prisma.graphql

hooks:
  post-deploy:
    - prisma generate --endpoint
    - npx nexus-prisma-generate --client ./src/generated/prisma-client --output ./src/generated/nexus-prisma # Runs the codegen tool from nexus-prisma.

secret: PRISMA_SECRET

.env

PRISMA_ENDPOINT="http://localhost:4466/app/dev"
PRISMA_SECRET=PRISMA_SECRET
APP_SECRET=PRISMA_SECRET
PRISMA_MANAGEMENT_API_SECRET=PRISMA_SECRET

permissions/index.ts

export const permissions = shield({
  Query: {
    // Global
    '*': or(rules.isSchoolAdmin, rules.isSchoolTeacher, rules.isSuperAdmin),
    profile: rules.isUser,
  },
  Mutation: {
    '*': or(rules.isSchoolAdmin, rules.isSchoolTeacher, rules.isSuperAdmin),
    login: allow,
    signup: allow,
  },
}, { fallbackRule: deny });

Thanks for your help 🙏

[Gomah]

Hey @Dev-Dipesh

Prisma server link http://localhost:4466 from Docker is accessible without setting any header. How can I secure that?

For a production environment, you probably need to use a VPC (e.g, whitelisting your GraphQL API to your container).

But even if accessed directly, http://localhost:4466/app/dev should not return any schema as there's no Authorization header.

2. When Graphql Shield is disabled I can query documents on http://localhost:1337 by setting the Authorization header, obtained by using the command prisma token. The problem appears when I enable Graphql Shield. After this for any and all requests I'm getting: "message": "Not Authorised!"
even for the resolvers that are marked as allow.

Do you have a repository reproduction for this one?

You actually don't need to use the prisma token when querying directly the application, have you tried to use a token from the login function instead?