springboot环境下GraphQL权限认证的实现方法

先放上github的链接GraphQL demo

pom

<!--        graphQL依赖-->

        <dependency>

            <groupId>org.jetbrains.kotlin</groupId>

            <artifactId>kotlin-stdlib</artifactId>

            <version>${kotlin.version}</version>

        </dependency>

        <dependency>

            <groupId>com.graphql-java-kickstart</groupId>

            <artifactId>graphql-spring-boot-starter</artifactId>

            <version>5.10.0</version>

        </dependency>

        <dependency>

            <groupId>com.graphql-java-kickstart</groupId>

            <artifactId>altair-spring-boot-starter</artifactId>

            <version>5.10.0</version>

            <scope>test</scope>

        </dependency>

        <dependency>

            <groupId>com.graphql-java-kickstart</groupId>

            <artifactId>graphiql-spring-boot-starter</artifactId>

            <version>5.10.0</version>

            <scope>test</scope>

        </dependency>

        <dependency>

            <groupId>com.graphql-java-kickstart</groupId>

            <artifactId>playground-spring-boot-starter</artifactId>

            <version>5.10.0</version>

            <scope>test</scope>

        </dependency>

GraphQL要实现权限认证主要是依靠directive

先创建一个directive

public class RoleDirective implements SchemaDirectiveWiring {

    @Override

    public GraphQLFieldDefinition onField(SchemaDirectiveWiringEnvironment<GraphQLFieldDefinition> env) {

        List<String> targetRoles = (List<String>) env.getDirective().getArgument("roles").getValue();

        DataFetcher originDataFetcher = env.getFieldDataFetcher();

        env.setFieldDataFetcher(new DataFetcher() {

            @Override

            public Object get(DataFetchingEnvironment environment) throws Exception {

                // 从线程上下文中获取用户身份信息

                AuthContextHolder authContextHolder = new AuthContextHolder();

                AuthContext authContext = authContextHolder.getContext();

                // 权限认证逻辑

                if (targetRoles.contains(authContext.getRole())) {

                    // 用户身份在给定的role列表中，调用dataFetcher返回数据

                    return originDataFetcher.get(environment);

                } else {

                    // 用户身份不在role列表中，直接返回null

                    return null;

                }

            }

        });

        return env.getElement();

    }

}

接下来就是对directive进行配置

    // 像这样添加roleDirective，如果要添加多个就创建多个类似的Bean

    @Bean

    public SchemaDirective myCustomDirective() {

        return new SchemaDirective("role", new RoleDirective());

    }

.graphqls文件写法

directive @role(roles:[String!]!) on FIELD_DEFINITION

type Book {

    id: ID

    name: String

    pageNum: Int    @role(roles:["ADMIN"])

    authorId: ID    @role(roles:["ADMIN"])

    author:Author

}

至此，对GraphQL的权限认证配置就完成了。
AuthContextHolder的实现可以看这片文章Java权限认证实现原理