Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should I use visible? or authorized? #2565

Closed
Li357 opened this issue Oct 28, 2019 · 3 comments
Closed

Should I use visible? or authorized? #2565

Li357 opened this issue Oct 28, 2019 · 3 comments

Comments

@Li357
Copy link

Li357 commented Oct 28, 2019
edited

If I have certain queries that require a token for authentication, should I hide those parts of the schema to unauthenticated users altogether via visible? or should I use authorized? to make the client aware that the query exists but cannot be accessed without authentication? Is it preferable for security or performance reasons because visible? does not actually execute the query?
@rmosolgo
Copy link
Owner

It depends what kind of client experience you want to provide.

If you use .visible?, it will appear to the client that unauthorized parts of the schema don't exist at all.

If you use .authorized?, you can provide custom error messages for the client. Also, inside authorized?, you have access to the actual objects being accessed by GraphQL.

Personally, I recommend .authorized? because it's easier to understand and more flexible. But .visible? is a good choice if you need to hide part of your schema from some clients.

As for performance, I wouldn't worry about it. A general tradeoff of GraphQL is higher latency in exchange for a better client experience, and I think this case warrants that tradeoff too.

Hope that helps!

@Li357
Copy link
Author

Li357 commented Nov 1, 2019

@rmosolgo Thanks! I've decided to use authorized? but it never seems to be called. Currently I'm trying to use it in an interface with definition_methods:

definition_methods do
  def resolve_type(object, context)
    # ...
  end

  def authorized?(object, context)
    puts "test"
    false # for testing
  end
end

And in my_schema.rb I do:

  def self.unauthorized_object(error)
    raise GraphQL::ExecutionError, "Not authorized!"
  end

Yet I never get any logs nor do I get the errors object when I make the request.

@rmosolgo
Copy link
Owner

rmosolgo commented Nov 1, 2019

🤔 I honestly have no idea what authorized? would do in an interface! I only ever use it in Objects. It's always called on objects at runtime.

I can imagine it would be possible to call authorized from interfaces if the base object called super, but the default implementation doesn't do that:

graphql-ruby/lib/graphql/schema/member/base_dsl_methods.rb

Lines 113 to 118 in b30ea93

def authorized?(object, context)
if @mutation
@mutation.authorized?(object, context)
else
true
end

So, you could try adding super to your own base object's authorized? method! But otherwise, I'm really not sure how interfaces play into .authorized? 😬

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rmosolgo @Li357