-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to intercept field resolvers? #352
Comments
A
We recommend injecting authentication credentials through context.
There is, we support field-level directives (docs), which are Here's an example of what this might look like:
You will then find that you have an |
Thanks for the reply. I had been aware of directives, but I'm trying to use OPA (https://www.openpolicyagent.org/) for handling authorisation, and the policies will be more complicated than I think is feasible with directives. I'd also prefer not to have policy data like that contained within the schema. I hadn't fully realised that the value was returned as part of 'res', and that's helped a lot with finding a solution for this. Thanks! |
You make a good point though about resolver middleware's not having access to the parent object, especially since directive middlewares do have access. I'll haver a think about whether we want to add it to the resolver middleware interface. |
That sounds good, thanks! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Hi,
I am trying to work out how to inject authorisation functions into my project. Consider, for example, a contrived example involving a Client object:
And then a resolver to fetch it (as well as resolvers for Created and User):
And a query:
Suppose that I want to disallow the viewing of the 'dob' field for anyone except the user that owns this client object.
Right now, I can create a ResolverMiddleware that intercepts before a response is sent. I could in that, I assume, do some work to check the relevant values and continue on or reject depending on authorisation policy.
However, the difficulty is that I think I need to fetch the client object twice -- once in the Client() resolver, and once in my custom authorisation function. Looking at the generated code, it seems that the 'client' object that's fetched as part of the 'Client()' resolver function isn't passed to the ResolverMiddleware in any way. This means that in order to get, say, the UserID value to help determine if I'll allow the Dob string to be returned, I need to fetch the client object again (or do some separate caching of the result -- such as https://gqlgen.com/reference/dataloaders/).
I wondered if:
a) I'm reading the code right, and I have understood the above correct
b) There's a better way to have access to the data I need to perform the authorisation calculations in question
I could of course create resolvers for every field, since those get passed the Client object, but that seems like unnecessary boilerplate code.
The text was updated successfully, but these errors were encountered: