Awesome Open Source
Awesome Open Source


graphql-authz is a Casbin authorization middleware for GraphQL.js

NPM version NPM download install size GitHub Actions Coverage Status Release Gitter


npm install graphql-authz
// or
yarn add graphql-authz

Get Started

This package should use with graphql and graphql-middleware

To limit access to each endpoint, you can use casbin policy or graphql directive.

In the policy method, you can use casbin policy like


to restricted access to each endpoint.

In the directive method, you can use directive can to do the same thing.

Here's a minimal example. You can find the full example in the tests/server.test.ts

import { applyMiddleware } from 'graphql-middleware';
import { newMiddleware, CanDirective } from 'graphql-authz';
import { newEnforcer } from 'casbin';
import { ApolloServer } from 'apollo-server';
import { makeExecutableSchema } from '@graphql-tools/schema';
import { CasbinContextEnforcerKey } from '../src';
// After graphql-js 14.0.0, you should manually define directive in the SDL.
const typeDefs = `
directive @can(who: String!) on FIELD_DEFINITION

type User {
    id: ID! @can(who: "user")
    name: String @can(who: "someone")

  const resolvers = {
    // something
  const schemaWithDirective = makeExecutableSchema({
    schemaDirectives: {
      can: CanDirective,
  // If you want to use directive, this is necessary.
  // You can ignore this in the policy only method.

  const enforcer = await newEnforcer('tests/casbin.conf', 'tests/policy.csv');
  // As for now, you should use model tests/casbin.conf to initialize enforcer.
  // For more info about enforcer, plz refer to

  const middleware = await newMiddleware({
    ctxMember: 'user', // middleware will get current user role from the graphql context[ctxMember]
    enforcer: enforcer, // Casbin Instance
  // Apply middlware to graphql schema
  const schemaWithDirectiveMiddleware = applyMiddleware(schemaWithDirective, middleware);

  const server = new ApolloServer({
    schema: schemaWithDirectiveMiddleware,
    context: ({ req }) => {
      // Provide necessary info in the context.
      const token = req.headers.authorization || '';

      // Try to retrieve a user with the token
      const user = getUser(token);

      const a: any = {};
      a[CasbinContextEnforcerKey] = enforcer;
      a['user'] = user;
      return a;

Getting Help


This project is under Apache 2.0 License. See the LICENSE file for the full license text.

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Plugin (10,169
Graphql (8,427
Middleware (2,526
Authorization (1,346
Auth (891
Rbac (495
Acl (438
Casbin (193
Abac (119
Authz (73
Related Projects