Fork me on GitHub
#graphql
<
2018-02-12
>
souenzzo13:02:50

How to deal with auth on lacinia? There is some way to process app-context before it come to "handler/resolver"?

gklijs14:02:44

I think you need to add some custom interceptor then, https://github.com/walmartlabs/lacinia/issues/99

souenzzo15:02:33

So, I will not use lacinia-pedestal (just parts of it)

hlship17:02:48

The ideas in lacinia-pedestal can be adapted to other frameworks, such as Ring. Internally, we use pedestal so that's what we're prepared to develop and maintain.

timgilbert20:02:45

What we do is we have a standard ring middleware stack including JWT auth, and the handler that calls (lacinia/execute) is wrapped underneath that

timgilbert20:02:13

The other thing we do is that when a user is authenticated, we add a key to the app-context that corresponds to the logged-in user, then in the resolvers we access that if we need to restrict access to some fields based on what user is requesting it

timgilbert20:02:34

It's all based on adding stuff to the request object in middleware in standard Ring fashion. I imagine you'd use interceptors for the same thing in pedestal, we aren't using lacinia-pedestal ourselves

timgilbert20:02:35

Our code looks roughly like:

(defn create-context [request]
  (let [db   (dlib/get-db)
        user (dlib/db-entity db (:identity request) :person/slug)]
    {:ocp.lacinia/db         db
     :ocp.lacinia/user       user
     :ocp.lacinia/request-id (d/squuid)}))

(defn query-handler
  [request]
  (let [query     (get-in request [:params :query])
        variables (get-in request [:params :variables])
        context   (create-context request)
        result    (lacinia/execute (ocl/load-schema) query variables context)]
[...]

hlship21:02:25

The interceptor complexity in lacinia-pedestal is driven by the desire to get default behavior, and allow for the "slotting" of additional logic, such as auth, between the established steps. Internally, we also do odd things such as rewriting the query to support older clients that submit invalid GraphQL (that pre-release versions of Lacinia accepted as valid). That's why, for example, we extract the query, variables, and operation name in one step, parse it in a second step, and execute it in a third.

hlship21:02:08

But if you are writing for Ring, from scratch, you can easily push these multiple steps together into a single handler.

hlship21:02:09

Whatever works for you.