# graphql-authz
[](https://github.com/officialpycasbin/graphql-authz/actions/workflows/build.yml)
[](https://coveralls.io/github/officialpycasbin/graphql-authz)
[](https://pypi.org/project/casbin-graphql-authz/)
[](https://pypi.org/project/casbin-graphql-authz/)
[](https://pypi.org/project/casbin-graphql-authz/)
[](https://pypi.org/project/casbin-graphql-authz/)
[](https://discord.gg/S5UjpzGZjN)
GraphQL-Authz is a Python port of [GraphQL-Authz](https://github.com/node-casbin/graphql-authz), the [Casbin](https://casbin.org/) authorization middleware implementation in [Node.js](https://nodejs.org/en/).
This package should be used with [GraphQL-core 3](https://github.com/graphql-python/graphql-core), providing the
capability to limit access to each GraphQL resource with the authorization middleware.
## Installation
Install the package using pip.
```shell
pip install casbin-graphql-authz
```
Get Started
--------
Limit the access to each GraphQL resource with a policy. For example,
given this policy for an [RBAC](https://casbin.org/docs/rbac/) model:
```csv
p, authorized_user, hello, query
```
Authorization can be enforced using:
```python3
import casbin
from authz.middleware import enforcer_middleware
from graphql import (
graphql_sync,
GraphQLSchema,
GraphQLObjectType,
GraphQLField,
GraphQLString,
)
schema = GraphQLSchema(
query=GraphQLObjectType(
name="RootQueryType",
fields={
"hello": GraphQLField(
GraphQLString,
resolve=lambda obj, info: "world")
}))
enforcer = casbin.Enforcer("model_file.conf", "policy_file.csv")
authorization_middleware = enforcer_middleware(enforcer)
query = """{ hello }"""
# Authorized user ("authorized_user") has access to data
response = graphql_sync(
schema,
query,
middleware=[authorization_middleware],
context_value={"role": "authorized_user"}
)
assert response.data == {"hello": "world"}
# Unauthorized users ("unauthorized_user") are rejected
response = graphql_sync(
schema,
query,
middleware=[authorization_middleware],
context_value={"role": "unauthorized_user"}
)
assert response.errors[0].message == "unauthorized_user can not query hello"
```
For more interesting scenarios see `tests` folder.
## Credits
Implementation was heavily inspired by the [Node.js](https://nodejs.org/en/) middleware [GraphQL-Authz](https://github.com/node-casbin/graphql-authz).
Authorization enforcement is based on [Casbin](https://casbin.org/) authorization library.
Raw data
{
"_id": null,
"home_page": "https://github.com/officialpycasbin/graphql-authz",
"name": "casbin-graphql-authz",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": null,
"keywords": "casbin, GraphQL, GraphQL middleware, rbac, access control, abac, acl, permission",
"author": "Ezequiel Grondona",
"author_email": "ezequiel.grondona@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/cd/e6/174b5cd291d9965318fbb44f9b4c195689109d4d2265fdba685c59f4a215/casbin_graphql_authz-1.4.0.tar.gz",
"platform": null,
"description": "# graphql-authz\n\n[](https://github.com/officialpycasbin/graphql-authz/actions/workflows/build.yml)\n[](https://coveralls.io/github/officialpycasbin/graphql-authz)\n[](https://pypi.org/project/casbin-graphql-authz/)\n[](https://pypi.org/project/casbin-graphql-authz/)\n[](https://pypi.org/project/casbin-graphql-authz/)\n[](https://pypi.org/project/casbin-graphql-authz/)\n[](https://discord.gg/S5UjpzGZjN)\n\nGraphQL-Authz is a Python port of [GraphQL-Authz](https://github.com/node-casbin/graphql-authz), the [Casbin](https://casbin.org/) authorization middleware implementation in [Node.js](https://nodejs.org/en/).\n\nThis package should be used with [GraphQL-core 3](https://github.com/graphql-python/graphql-core), providing the\ncapability to limit access to each GraphQL resource with the authorization middleware.\n\n## Installation\n\nInstall the package using pip.\n\n```shell\npip install casbin-graphql-authz\n```\n\nGet Started\n--------\n\nLimit the access to each GraphQL resource with a policy. For example,\ngiven this policy for an [RBAC](https://casbin.org/docs/rbac/) model:\n\n```csv\np, authorized_user, hello, query\n```\n\nAuthorization can be enforced using:\n\n```python3\nimport casbin\nfrom authz.middleware import enforcer_middleware\n\nfrom graphql import (\n graphql_sync,\n GraphQLSchema,\n GraphQLObjectType,\n GraphQLField,\n GraphQLString,\n)\n\n\nschema = GraphQLSchema(\n query=GraphQLObjectType(\n name=\"RootQueryType\",\n fields={\n \"hello\": GraphQLField(\n GraphQLString,\n resolve=lambda obj, info: \"world\")\n }))\n\nenforcer = casbin.Enforcer(\"model_file.conf\", \"policy_file.csv\")\nauthorization_middleware = enforcer_middleware(enforcer)\n\nquery = \"\"\"{ hello }\"\"\"\n\n# Authorized user (\"authorized_user\") has access to data\nresponse = graphql_sync(\n schema,\n query,\n middleware=[authorization_middleware],\n context_value={\"role\": \"authorized_user\"}\n)\nassert response.data == {\"hello\": \"world\"}\n\n# Unauthorized users (\"unauthorized_user\") are rejected\nresponse = graphql_sync(\n schema,\n query,\n middleware=[authorization_middleware],\n context_value={\"role\": \"unauthorized_user\"}\n)\nassert response.errors[0].message == \"unauthorized_user can not query hello\"\n```\n\nFor more interesting scenarios see `tests` folder.\n\n## Credits\n\nImplementation was heavily inspired by the [Node.js](https://nodejs.org/en/) middleware [GraphQL-Authz](https://github.com/node-casbin/graphql-authz).\n\nAuthorization enforcement is based on [Casbin](https://casbin.org/) authorization library.\n",
"bugtrack_url": null,
"license": "Apache 2.0",
"summary": "graphql-authz is an casbin authorization middleware for GraphQL",
"version": "1.4.0",
"project_urls": {
"Homepage": "https://github.com/officialpycasbin/graphql-authz"
},
"split_keywords": [
"casbin",
" graphql",
" graphql middleware",
" rbac",
" access control",
" abac",
" acl",
" permission"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "e1b64aad829712251b1072428e542dfc8a7757ac0e8d445d536d73390ea7f32c",
"md5": "c784022eebbbdbedf44bc638efb26220",
"sha256": "72f8ab2e55a16f7b9f0c50d99c3ce7a3580cd95c7a46c72c40d9c96ba565feb5"
},
"downloads": -1,
"filename": "casbin_graphql_authz-1.4.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "c784022eebbbdbedf44bc638efb26220",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 9629,
"upload_time": "2025-08-17T08:24:07",
"upload_time_iso_8601": "2025-08-17T08:24:07.697151Z",
"url": "https://files.pythonhosted.org/packages/e1/b6/4aad829712251b1072428e542dfc8a7757ac0e8d445d536d73390ea7f32c/casbin_graphql_authz-1.4.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "cde6174b5cd291d9965318fbb44f9b4c195689109d4d2265fdba685c59f4a215",
"md5": "9891bf67be65cee5728e0b92fb8d8740",
"sha256": "f14ca1919986f72c3647ae0831b59d5b5b06b11fcafda552030530075332f97c"
},
"downloads": -1,
"filename": "casbin_graphql_authz-1.4.0.tar.gz",
"has_sig": false,
"md5_digest": "9891bf67be65cee5728e0b92fb8d8740",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 8644,
"upload_time": "2025-08-17T08:24:08",
"upload_time_iso_8601": "2025-08-17T08:24:08.822956Z",
"url": "https://files.pythonhosted.org/packages/cd/e6/174b5cd291d9965318fbb44f9b4c195689109d4d2265fdba685c59f4a215/casbin_graphql_authz-1.4.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-17 08:24:08",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "officialpycasbin",
"github_project": "graphql-authz",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "graphql-core",
"specs": []
}
],
"lcname": "casbin-graphql-authz"
}
JSON
