Skip to main content

Testing Basestar permissions using depot-local

Depot-local provides ability to test Basestar permissions locally. To do so you need to provide <token, cognito-claims> map to depot-local config:

const auth: InMemoryCognitoAuth = {
token1: {
id: "id1",
claims: {
"cognito:groups": ["role1", "role2"],
"sphinx:role": "admin"
}
},
token2: {
id: "id1",
claims: {
"cognito:groups": ["role3"],
"sphinx:role": "notAdmin"
}
}
};

Then you need to create environment with auth config:

const environment = new EnvironmentBuilder(pet, auth)
.location(LocationBuilder.postgres(crypto.randomUUID().substr(0, 8), depot))
.build();

assuming that your schema has permission expression i.e.:

pet.Pet:
type: object
properties:
name:
type: string
age:
type: integer
permissions:
read:
expression: 'true'
create:
expression: "'role1' in caller.claims['cognito:groups']"
update:
expression: 'true'

and providing authorization header with bearer token to the GQL request i.e.:

const create = await gqlApi.mutate<PetStore, PetStore>({
mutation: gql`
mutation createPet($name: String!, $age: Int!) {
createPetPet(id: "0987", data: { name: $name, age: $age }, expressions: {}) {
id
created
updated
schema
version
hash
name
}
}
`,
variables: {
name: "ren",
age: 2
},
context: {
headers: {Authorization: "Bearer token1"}
}
});

Depot will try lookup token and load claims from auth config and use it to evaluate permission expression.

Behind the scenes

Depot is not responsible for claims loading, it is done by your cognito pool (Either Stage-pass or other solutions) so please claims are provided by your cognito pool.You can check what claims are provided by cognito pool by using jwt.io and pasting your token there.

Read more about expressions and permissions