Fork me on GitHub

About graphql and auth: 1- Is a good idea send the token next to query? ( ?query=...&token=123 on url or {"query": "...", "token": "123"} on body) 2- I want to put a interceptor before the "main handler" that get this token, open, valid, and assoc :user 123 on the ctx. I know do this in pedestal, but on lacinia-pedestal there is some easy way to do (wo compromise ws and other cool stuff from lacinia pedestal)?


I believe that the best approach is actually to put/expect it to be in the headers.


And you use a lib such as Buddy to parse the headers within your isolated authenticated calls.


and about the interceptors on lacinia-pedestal?


I have no idea about this one tho. We use ring middleware in our main project.

👍 4

both the Github graphQL API and the one I’m working on use tokens in the Authorization header


Couple of options for #2. The request map is (by default) exposed as :request in the context passed to field resolvers (which, despite the name, is entirely distinct from the Pedestal context).


But if you're writing your own interceptor, you can inject it into Lacinia's interceptor pipeline and put a new key directly into the field resolver context prior to query execution.


If you do it after the query is parsed, you can even do checks that correlate the user (and their permissions) against the operations in the GraphQL request.


I read this article when I started with lacinia, it explains a bit the 2 options:


we went for option 1 though. I think it's the simplest solution, although option 2 does have some advantages as well


if you're looking for an example that uses option 2, I believe does so


Thks 4 all; I will try to inject my custom interceptor.