!README.md

OpenFGA Tutorial

This is my note for OpenFGA Tutorial.

https://openfga.dev/docs/getting-started

Note

• Clear all data: docker compose rm postgres

Setup OpenFGA

https://openfga.dev/docs/getting-started/setup-openfga/overview

Docker

docker run -p 8080:8080 -p 8081:8081 -p 3000:3000 openfga/openfga run

Docker Compose

docker compose up

Open Browser

open 'http://localhost:3000/playground'

OpenFGA Tutorial

Getting Started

https://openfga.dev/docs/getting-started

Install SDK Client

See package.json

Configure Authorization Model

https://openfga.dev/docs/getting-started/configure-model

Update Relationship Tuples

https://openfga.dev/docs/getting-started/update-tuples

Tuple が実際のデータの構造を表しているのかな。

クエリが送信できた。

Perform a Check

https://openfga.dev/docs/getting-started/perform-check

Perform a List Objects call

https://openfga.dev/docs/getting-started/perform-list-objects

SKIP (TODO)

https://openfga.dev/docs/getting-started/cli https://openfga.dev/docs/getting-started/framework

Immutable Authorization Models

https://openfga.dev/docs/getting-started/immutable-models

Running OpenFGA in Production

https://openfga.dev/docs/getting-started/running-in-production

Best Practices of Managing Tuples and Invoking APIs

https://openfga.dev/docs/getting-started/tuples-api-best-practices

Modeling Guide

https://openfga.dev/docs/modeling

Get Started with Modeling

https://openfga.dev/docs/modeling/getting-started

.gitignore

node_modules/**
package-lock.json

compose.yaml

networks:
  openfga:

services:
  postgres:
    image: postgres:14
    container_name: postgres
    networks:
      - openfga
    ports:
      - "5432:5432"
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=password
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
      interval: 5s
      timeout: 5s
      retries: 5

  migrate:
    depends_on:
      postgres:
        condition: service_healthy
    image: openfga/openfga:latest
    container_name: migrate
    command: migrate
    environment:
      - OPENFGA_DATASTORE_ENGINE=postgres
      - OPENFGA_DATASTORE_URI=postgres://postgres:password@postgres:5432/postgres?sslmode=disable
    networks:
      - openfga

  openfga:
    depends_on:
      migrate:
        condition: service_completed_successfully
    image: openfga/openfga:latest
    container_name: openfga
    environment:
      - OPENFGA_DATASTORE_ENGINE=postgres
      - OPENFGA_DATASTORE_URI=postgres://postgres:password@postgres:5432/postgres?sslmode=disable
      - OPENFGA_LOG_FORMAT=json
    command: run
    networks:
      - openfga
    ports:
      # Needed for the http server
      - "8080:8080"
      # Needed for the grpc server (if used)
      - "8081:8081"
      # Needed for the playground (Do not enable in prod!)
      - "3000:3000"

index.mjs

import { OpenFgaClient } from "@openfga/sdk";

(async () => {
  const id = crypto.randomUUID().substring(0, 8);
  console.log("ID:", id);

  const client = new OpenFgaClient({
    apiUrl: "http://localhost:8080",
  });
  const store = await client.createStore({ name: `store-${id}` });
  console.log("Store:", store);
  client.storeId = store.id;

  const authorizationModel = await client.writeAuthorizationModel({
    "schema_version": "1.1",
    "type_definitions": [
      {
        "type": "admin",
      },
      {
        "type": "user",
      },
      {
        "type": "document",
        "relations": {
          "reader": {
            "this": {},
          },
          "writer": {
            "this": {},
          },
          "owner": {
            "this": {},
          },
        },
        "metadata": {
          "relations": {
            "reader": {
              "directly_related_user_types": [
                {
                  "type": "user",
                },
              ],
            },
            "writer": {
              "directly_related_user_types": [
                {
                  "type": "user",
                },
              ],
            },
            "owner": {
              "directly_related_user_types": [
                {
                  "type": "admin",
                },
              ],
            },
          },
        },
      },
    ],
  });
  console.log("AuthorizationModel:", authorizationModel);
  const { authorization_model_id } = authorizationModel;

  const users = await client.write({
    writes: [
      { "user": "user:anne", "relation": "reader", "object": "document:A" },
      { "user": "user:anne", "relation": "reader", "object": "document:Z" },
      { "user": "user:bob", "relation": "writer", "object": "document:Z" },
      { "user": "admin:chris", "relation": "owner", "object": "document:Z" },
    ],
  }, {
    authorization_model_id,
  });
  console.log("User-Anne:", JSON.stringify(users, null, 2));

  // ##### Perform a check #####
  // https://openfga.dev/docs/getting-started/perform-check

  const anneIsReader = await client.check({
    user: "user:anne",
    relation: "reader",
    object: "document:Z",
  }, {
    authorization_model_id,
  });
  console.log("Anne is reader:", anneIsReader);

  const anneIsWriter = await client.check({
    user: "user:anne",
    relation: "writer",
    object: "document:Z",
  }, {
    authorization_model_id,
  });
  console.log("Anne is writer:", anneIsWriter);

  // ##### Perform a List Objects call #####
  // https://openfga.dev/docs/getting-started/perform-list-objects

  const objects = await client.listObjects({
    user: "user:anne",
    relation: "reader",
    type: "document",
  }, {
    authorization_model_id,
  });
  console.log("Objects:", objects);
})();

package.json

{
  "name": "openfga-tutorial",
  "private": true,
  "author": "mryhryki",
  "license": "MIT",
  "scripts": {
    "start": "node ./index.mjs"
  },
  "dependencies": {
    "@openfga/sdk": "^0.4.0"
  }
}