Configuration basique des rôles en mode 'dev'

2020-06-21 14:22:06 +02:00 · 2020-06-21 14:22:06 +02:00 · d85edd949c
parent 569a44591c
commit d85edd949c
1 changed files with 84 additions and 62 deletions
--- a/backend/config/dev.yml
+++ b/backend/config/dev.yml
@ -1,9 +1,9 @@
-app_name: "Test Development"
+app_name: "Daddy Dev"
 host_port: 0.0.0.0:8080
 web_ui: true

 # debug, error, warn, info
-log_level: "info"
+log_level: debug

 # enable or disable http compression (uses gzip)
 http_compress: true
@ -15,7 +15,7 @@ http_compress: true
 production: false

 # Throw a 401 on auth failure for queries that need auth
-auth_fail_block: false
+auth_fail_block: true

 # Latency tracing for database queries and remote joins
 # the resulting latency information is returned with the
@ -65,18 +65,16 @@ cors_debug: false
 auth:
  # Can be 'rails', 'jwt' or 'header'
  type: jwt
-  cookie: _supergraph_session
+  #cookie: _supergraph_session

  # Comment this out if you want to disable setting
  # the user_id via a header for testing. 
  # Disable in production
-  creds_in_header: true
+  #creds_in_header: false

-  # jwt:
-  #   provider: auth0
-  #   secret: abc335bfcfdb04e50db5bb0a4d67ab9
-  #   public_key_file: /secrets/public_key.pem
-  #   public_key_type: ecdsa #rsa
+  jwt:
+    provider: hydra
+    jwks_url: http://hydra:4444/.well-known/jwks.json

  # header:
  #   name: dnt
@ -87,16 +85,16 @@ auth:
 # In this example actions using this auth can only be
 # called from the Google Appengine Cron service that
 # sets a special header to all it's requests
-auths:
-  - name: from_taskqueue
-    type: header
-    header:
-      name: X-Appengine-Cron
-      exists: true
+# auths:
+  # - name: from_taskqueue
+  #   type: header
+  #   header:
+  #     name: X-Appengine-Cron
+  #     exists: true

 database:
  type: postgres
-  host: db
+  host: localhost
  port: 5432
  dbname: daddy
  user: daddy
@ -105,19 +103,19 @@ database:
  #schema: "public"
  #pool_size: 10
  #max_retries: 0
-  #log_level: "debug"
+  log_level: "debug"

  # Set session variable "user.id" to the user id
  # Enable this if you need the user id in triggers, etc
-  set_user_id: false
+  set_user_id: true

  # database ping timeout is used for db health checking
  ping_timeout: 1m

  # Define additional variables here to be used with filters
  variables:
-    #admin_account_id: "5"
-    admin_account_id: "sql:select id from users where admin = true limit 1"
+    # admin_account_id: "5"
+    # admin_account_id: "sql:select id from users where admin = true limit 1"


  # Field and table names that you wish to block
@ -135,67 +133,91 @@ database:
 # which in this case refreshes a materialized view in the database.
 # The auth_name is from one of the configured auths
 actions:
-  - name: refresh_leaderboard_users
-    sql: REFRESH MATERIALIZED VIEW CONCURRENTLY "leaderboard_users"
-    auth_name: from_taskqueue
+  # - name: refresh_leaderboard_users
+  #   sql: REFRESH MATERIALIZED VIEW CONCURRENTLY "leaderboard_users"
+  #   auth_name: from_taskqueue

 tables:
-  - name: customers
-    remotes:
-      - name: payments
-        id: stripe_id
-        url: http://rails_app:3000/stripe/$id
-        path: data
-        # debug: true
-        pass_headers: 
-          - cookie
-        set_headers:
-          - name: Host
-            value: 0.0.0.0
+  # - name: customers
+  #   remotes:
+  #     - name: payments
+  #       id: stripe_id
+  #       url: http://rails_app:3000/stripe/$id
+  #       path: data
+  #       # debug: true
+  #       pass_headers: 
+  #         - cookie
+  #       set_headers:
+  #         - name: Host
+  #           value: 0.0.0.0
          # - name: Authorization
          #   value: Bearer <stripe_api_key>

-  - # You can create new fields that have a
-    # real db table backing them
-    name: me
-    table: users
+  # - # You can create new fields that have a
+  #   # real db table backing them
+  #   name: me
+  #   table: users


-#roles_query: "SELECT * FROM users WHERE id = $user_id"
+roles_query: "select * from users where users.email = $user_id"

 roles:
+  # Rôle par défaut si l'utilisateur n'existe pas dans la table `users`
  - name: anon
    tables:
-      - name: users
-        query:
-          limit: 10
+      # - name: users
+      #   insert:
+      #     block: true
+      #   query:
+      #     block: true
+      #   update:
+      #     block: true
+      #   delete:
+      #     block: true

+  # Rôle par défaut si l'utilisateur existe dans la table `users`
+  # mais que la valeur de la colonne `role` n'est pas définie
  - name: user
    tables:
      - name: users
-        query:
-          filters: ["{ id: { _eq: $user_id } }"]
-
-      - name: products
-        query:
-          limit: 50
-          filters: ["{ user_id: { eq: $user_id } }"]
-          disable_functions: false
-
        insert:
-          filters: ["{ user_id: { eq: $user_id } }"]
-          presets:
-            - user_id: "$user_id"
-            - created_at: "now"
-            
+          block: true
+        query:
+          filters: ["{ email: { _eq: $user_id } }"]
        update:
-          filters: ["{ user_id: { eq: $user_id } }"]
-          presets:
-            - updated_at: "now"
-
+          columns:
+            - full_name
+          filters: ["{ email: { _eq: $user_id } }"]
        delete:
          block: true

+  - name: admin
+    match: role = 'admin'
+    tables:
+      - name: users
+        query:
+          filters: []
+
+      # - name: products
+      #   query:
+      #     limit: 50
+      #     filters: ["{ user_id: { eq: $user_id } }"]
+      #     disable_functions: false
+
+      #   insert:
+      #     filters: ["{ user_id: { eq: $user_id } }"]
+      #     presets:
+      #       - user_id: "$user_id"
+      #       - created_at: "now"
+            
+      #   update:
+      #     filters: ["{ user_id: { eq: $user_id } }"]
+      #     presets:
+      #       - updated_at: "now"
+
+        # delete:
+        #   block: true
+
  # - name: admin
  #   match: id = 1000
  #   tables: