Fork me on GitHub

I just pushed 0.33.0-alpha-2 to clojars. Feedback would be most welcome!

Lennart Buit21:04:36

Re the auth question: Is it possible to decorate the schema in some way that it is apparent to callers what they can and cannot do. I know that in graphql-ruby you can hide fields from introspection, but that seems overly agressive

Lennart Buit21:04:50

we were looking at directives, but… we couldn’t figure out how


When I was dealing with authz, I remember reading about the viewer field which is used to determine the relationship between viewer and other nodes. This does require re-structuring of the types though.


I'm still figuring out what to do with directives; we have them in the schema and validated, but I haven't quite figured out the right way to expose them to user code. Perhaps yet another key in the context.


Ideally, the internal If and Unless directives would be implemented the same as user-defined directives, but I don't see a good way to do that yet.


So, in theory, you could use directives to describe auth, but in practice, Lacinia doesn't quite let you.

Lennart Buit16:04:30

@U0JAE119P Right, we have a structure akin the viewer, but some of our types have fields that are restricted. So there are fields that you as a client see, but not necessarily can access.

Lennart Buit16:04:56

Thanks for the explanation, @U04VDKC4G, looking forward to when you guys do figure it out!


About your original question, you can do a good deal of schema decoration by arguments to resolver literals, though you do need to roll your own conventions. Eg

{ :projects {:type :ProjectList :resolve [:resolvers/projects {:user/required-role :user.role/admin}]}}


...then you'd need to implement the resolver that checks for :user/required-role and returns either the right object or nil

Lennart Buit05:04:46

That would be decoration on the server side then I’d assume? I was more looking at decorating fields in such a way that a client knows that asking for them is futile. E.g. lets say that you need to have Admin role to retrieve anyones credit card number (please don’t do this)