[Proposal] Directives / Security Review Tool

Hey awesome humans,
I`d like to propose the Idea of a review “tool” for all services.
Maybe an example:

  1. Start by running some command (example)
yarn rw g docs directives 
  1. Get some output, which could be a simple print or maybe even a fancy pdf/image

Maybe this could be a way more detailed report including custom directives or maybe custom checks. My idea behind all that is, that with growing projects this could be a way to get a quick overview of who can do what.

What do you think of this idea?

Best wishes

1 Like

Hey Linas - sounds like an interesting idea to me. I am curious how it would work, exactly.

So - you would

  1. Search schema for any directives (custom, requireAuth, skipAuth)
    1.1) Parse any roles in the call eg. @requireAuth(role: "ADMIN")
  2. Dig into custom directives to parse any AuthenticationError or ForbiddenError rules

How do you find any restrictions built into services, such as validateWith() from this section:

import { validate, validateWith, validateUniqueness } from '@redwoodjs/api'

export const createUser = async ({ input }) => {
  validate(input.firstName, 'First name', {
    presence: true,
    excludes: { in: ['Admin', 'Owner'], message: 'That name is reserved, sorry!' },
    length: { min: 2, max: 255 }
  validateWith(() => {
    if (input.role === 'Manager' && !context.currentUser.roles.includes('admin')) {
      throw 'Only Admins can create new Managers'

  return validateUniqueness('user', { username: input.username }, (db) => {
    return db.user.create({ data: input })

Then - I like the chart idea - how does it handle when there are more than 10 groups,etc? Would it just keep expanding to the right and the terminal scrolls that way?

Hey! I’m pretty new to RedwoodJS but so my technical understanding is kinda limited.
But yeah as far as I know, there is already happening some checks for all the directives. As written in the directives docs it says that " Redwood checks that all queries and mutations have @requireAuth , @skipAuth or a custom directive applied." - if not rw will throw an error. So there must already be some function for that.

My first idea for restrictions build into services is to use the same approach. Maybe look for all validate, validateWith and validateUniqueness and try to parse the content in an useful way.

Perhaps an even better way to output the results is .csv or some other common formats.

Hi @Linues1703.

I’ve thought about having a tool exactly like that – for GraphQL operations rather the services per se.

It might be similar to this query you can do in Postgres if you use row level security and I used in a demo app here for Supabase:

You can query all policies via: `select * from pg_policies.`

I imagine one code write a utility that would take

  1. take the generated schema .redwood/schema.graphql
  2. Use some GraphQL Tools packages Home – GraphQL Tools to visit the schema
  3. Look for the auth directives
  4. list which have which one and then extract the arguments
  5. report out

The tough part is that you could have custom validator directives that enforce auth so you couldn’t just look for the requireAuth one.

But something like this is definitely possible.

Please write up an RFC ion GitHub and happy to comment.

Note: RedwoodJS does want to implement attributes based access control ABAC that is more read/write/update/add so perhaps such an audit tool might happen then.