Add support for a 'silent' mode #988
Comments
|
Hey @jgnieuwhof 馃憢, Thank you for opening an issue. We will get back to you as soon as we can. Also, check out our Open Collective and consider contributing financially. https://opencollective.com/graphql-shield
|
|
Hey 馃憢 , Thank you for your kind words. I think this could be a great addition to the library. I am wondering, though, if clients don't let you ignore errors by default? I think that Apollo Client and the like raise errors by default, but you can change that so that you get the |
|
馃憢 thanks for the quick response! Unfortunately the specific issue I've encountered involves Apollo federation, where you have a single graph (gateway) comprised of one or more services. When the gateway encounters a downstream service error the partial data response from that service is ignored. This is a situation where we care far more about the partial data response than the details of the authorization-related downstream error. Aside from this though - in general I've gained a preference for treating a lack of access as a lack of data. It's inline with how most DB RBAC systems work (queries will silently return only the data that you have access to), and is easy to handle on the front-end (don't render data that isn't there). I suppose there are also situations where it's a security flaw to admit there's data there at all, an example of this might be GitHub's 404 response when trying to visit a repository that you don't have access to. I guess there's a few thoughts there 馃槄, thanks in advance for taking the time to read 'em. |
|
@jgnieuwhof Sorry for hi-jacking your issue. Just out of interest - how are you using graphql-shield with federation? do you use it on all individual federated services? |
|
@codepunkt - no sweat, yeah using it individually on each schema. There were two things I did to make it play well with federation.
|
|
Thank you for hijacking this! It slipped out of my radar. @jgnieuwhof I have a very similar view on how permissions work - I like this kind of thinking. 馃檶馃徔 Besides that, let's implement the |
|
@maticzav - great to hear! Not sure if I'll find time today, but I should have a cycle to work on this within the next week or two. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I would recommend also an ability to return custom GraphQL type. There is a certain tendency in the GraphQL developemnet to disregard error responses because they're problematic to add strict typing to, so people prefer schemas like this: type Query {
users: Users
}
union Users = Error | PaginatedUsers
type Error {
kind: ErrorsEnum
message: String!
}
enum ErrorsEnum {
UNAUTHORIZED
}
type PaginatedUsers {
count: Int!
items: [User]
}
type User {
id: ID
} |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@esseswann Have you found any sort of work around in order to use custom error types? I'm attempting to do exactly what you described. |
|
@forrestwilkins As of now we had to manually handle the errors and convert them to custom types |
Feature request
Firstly, thanks for the great library and continued support 馃檹.
My current team has encountered a situation where it would be preferable to allow authentication to fail silently, returning
nullrather than anError.It's currently possible to do this by passing
{ fallbackError: null }, however it's neither TypeScript compliant nor officially supported.I'm happy to make a PR with the change, if / when a solution is decided upon.
Describe the solution you'd like
Add a new option,
{ silent: boolean }, informing the middleware resolver to returnnullif authorization fails.Describe alternatives you've considered
Allow
fallbackErrorto acceptnull.The text was updated successfully, but these errors were encountered: