Fork me on GitHub
#graphql
<
2019-04-19
>
hlship17:04:39

I just pushed 0.33.0-alpha-2 to clojars. Feedback would be most welcome!

Lennart Buit21:04:36

Re the auth question: Is it possible to decorate the schema in some way that it is apparent to callers what they can and cannot do. I know that in graphql-ruby you can hide fields from introspection, but that seems overly agressive

Lennart Buit21:04:50

we were looking at directives, but… we couldn’t figure out how

jvtrigueros22:04:08

When I was dealing with authz, I remember reading about the viewer field which is used to determine the relationship between viewer and other nodes. This does require re-structuring of the types though. https://medium.com/workflowgen/graphql-schema-design-the-viewer-field-aeabfacffe72

hlship16:04:34

I'm still figuring out what to do with directives; we have them in the schema and validated, but I haven't quite figured out the right way to expose them to user code. Perhaps yet another key in the context.

hlship16:04:13

Ideally, the internal If and Unless directives would be implemented the same as user-defined directives, but I don't see a good way to do that yet.

hlship16:04:45

So, in theory, you could use directives to describe auth, but in practice, Lacinia doesn't quite let you.

Lennart Buit16:04:30

@U0JAE119P Right, we have a structure akin the viewer, but some of our types have fields that are restricted. So there are fields that you as a client see, but not necessarily can access.

Lennart Buit16:04:56

Thanks for the explanation, @U04VDKC4G, looking forward to when you guys do figure it out!

timgilbert19:04:18

About your original question, you can do a good deal of schema decoration by arguments to resolver literals, though you do need to roll your own conventions. Eg

{ :projects {:type :ProjectList :resolve [:resolvers/projects {:user/required-role :user.role/admin}]}}
}}}

timgilbert19:04:08

...then you'd need to implement the resolver that checks for :user/required-role and returns either the right object or nil

Lennart Buit05:04:46

That would be decoration on the server side then I’d assume? I was more looking at decorating fields in such a way that a client knows that asking for them is futile. E.g. lets say that you need to have Admin role to retrieve anyones credit card number (please don’t do this)