Skip to main content
Version: Current

Security

Example

const { createPostGraphileSchema } = require("postgraphile");
const pg = require("pg");

const pgPool = new pg.Pool(process.env.DATABASE_URL);

async function runQuery(query, variables) {
const schema = await createPostGraphileSchema(
process.env.DATABASE_URL,
["users_schema", "posts_schema"],
{
dynamicJson: true,
jwtSecret: process.env.JWT_SECRET,
jwtPgTypeIdentifier: "users_schema.jwt_type",
},
);

// Fetch a postgres client from the pool
const pgClient = await pgPool.connect();

// Start a transaction so we can apply settings local to the transaction
await pgClient.query("begin");

try {
// The following statement is equivalent to (but faster than):
// await pgClient.query("set local role to 'postgraphile_user'");
// await pgClient.query("set local jwt.claims.user_id to '27'");
await pgClient.query(`select
set_config('role', 'postgraphile_user', true),
set_config('jwt.claims.user_id', '27', true)
`);
return await graphql(
schema,
query,
null,
/* CONTEXT > */ {
pgClient: pgClient,
} /* < CONTEXT */,
variables,
);
} finally {
// commit the transaction (or rollback if there was an error) to clear the local settings
await pgClient.query("commit");

// Release the pgClient back to the pool.
await pgClient.release();
}
}

runQuery(
"query MyQuery { allPosts { nodes { id, title, author: userByAuthorId { username } } } }",
)
.then((result) => {
console.dir(result);
pgPool.release();
})
.catch((e) => {
console.error(e);
process.exit(1);
});

To see how this works in a real application, check out withPostGraphileContext in PostGraphile