Configuration
Configuration¶
Mongoke defines its entire configuration in a yaml file that can be used to generate the entire graphql server.
This configuration can be used inside the docker image in the default path /config.yml
.
Configuration:
schema?: Str
schema_url?: Url
schema_path?: Str
types:
...:
collection: Str
exposed?: Bool
pipeline?: [Any]
disambiguations?:
...: Str
guards?: [
expression: Str
excluded?: [Str]
when?: "after" | "before"
]
relations?: [
from: Str
to: Str
relation_type: "to_many" | "to_one"
field: Str
where: Any
]
jwt?:
secret?: Str
header_name?: Str # default is "Authorization"
header_scheme?: Str # default is "Bearer"
required?: Bool
algorithms?: ["H256" | "HS512" | "HS384" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES521" | "ES512" | "PS256" | "PS384" | "PS512"]
Url: Str
Types¶
Individual types config defined as an object where keys are the type names and values are the type configuration.
types:
...:
collection: Str
exposed?: Bool
pipeline?: [Any]
guards?: [
expression: Str
when?: "after" | "before"
excluded?: [Str]
]
disambiguations?:
...: Str
collection¶
Defines to what collection the type is associated with
exposed¶
Defines if the type is exposed to graphql, useful when you whant to use certain types only as relations
pipeline¶
custom mongodb pipeline to execute during the database query
disabiguations¶
necessary when querying a union type, to determine the actual type. it is an object where keys are type names and values are expressions. The expressions are evaluated until one is found true and the right __type is applied
Guards¶
List of expressions to limit the access of the type fields to only certain users, based on jwt payload and the document data.
guards?: [
expression: Str
excluded?: [Str]
when?: "after" | "before"
]
when¶
decides if you want to evaluate the expression before or after querying the database, if you use before you save resources but have access to only the user jwt (if any) and not to the document to decide if user is authorized
expression¶
python expression that can evaluate to true if you want to give user access to the type, expression is evaluated in python and has access to
- x: the current document, available only if using when=after
- jwt: the user jwt payload, can contain whatever you put inside it, by default extracted from the Authorization header and not verified.
excluded¶
By default the guards give access to all the document fields, you can limit the fileds you give access to by putting them inside exclude
.
To implement different levels of authorization with access to different fields you can use many guards where the most protected is the first so that the evaluation stops at the weakest permissions required possible.
Relations¶
Defined as a list of configurations to add connections between types.
relations?: [
from: Str
to: Str
relation_type: "to_many" | "to_one"
field: Str
where: Any # the mongodb query
]
from¶
The type where the relation's field is added
to¶
The type the relation leads to
field¶
The field added to the from
type to connect the to
type
relation_type¶
if "to_one" the field in graphql will be a simple type reference and can be queried with
{
owner {
email
pet {
name
}
}
}
If "to_many" the field will resolve to a connection and can be queried like this
{
zoo {
pets(first: 10) {
nodes {
name
}
}
}
}
where¶
The mongodb where query to find the related documents, you can evaluate custom python code inside the \${{ }} and have access to parent: the from
document as a python dict.
The code inside \${{ }} will be evaluated during every query that needs the relation and the evaluation result will be used to query the to
collection.
Jwt configuration¶
Configure how to handle jwt authentication, by default the jwt is not verified, to verify it add the secret
field with the secret used to sign the jwt. You can require a jwt for all the query fields adding the required
field.
jwt?:
secret?: Str
header_name?: Str # default is "Authorization"
header_scheme?: Str # default is "Bearer"
required?: Bool
algorithms?: ["H256" | "HS512" | "HS384" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES521" | "ES512" | "PS256" | "PS384" | "PS512"]
required¶
if specified, only users with jwt signed with the right secret have access to the resources, needs secret to work. By default the secret is not required and not verified.
secret¶
Used when required is present to check if jwt is signed
algorithms¶
A list of algotihtm to decode the jwt, to see the full list chech the python pyJwt library