Cannot query field 'password' on type 'User' graphql

Question

I'm using graphql and prisma.

datamodel.prisma

type User {
  id: ID! @id
  createdAt: DateTime! @createdAt
  updatedAt: DateTime! @updatedAt
  email: String! @unique
  password: String!
  first_name: String
}

schema.graphql

scalar Date

type Query {
  users: [User!]!
}

type User {
  id: ID!
  createdAt: Date!
  updatedAt: Date!
  email: String!
  first_name: String
}

resolver

users: (parent, args, context) => {
  return context.prisma.users();
}

I expected to get a user list, but received the error: query

{
  users {
    email
  }
}

error

"Cannot query field 'password' on type 'User'. (line 7, column 5):\n password\n ^"

UPDATE 1 Tried to use a fragment, but got the same:

{
  users {
    ...userFields
  }
}

fragment userFields on User {
  email
}

When i removed password field - everything is working, but I need this field for user creation. — demkovych, May 23 '19 at 08:19
@xadm The same `{ users { ...userFields } } fragment userFields on User { email }` — demkovych, May 23 '19 at 08:41
... clone User type into UserInput (for mutate/creation usage ), remove password from User type — xadm, May 23 '19 at 08:53

score 4 · Answer 1 · answered Nov 29 '19 at 17:18

I'd like to also add a scenario that can very easily cause this same issue that took me a while to debug and I'm sure others will encounter, because it took me quite some time to realize the issue was actually being caused in my FRONTEND code where I was defining my auth-related Mutations.

Set Up

Here's what that looked like while developing much of my application:

datamodel.prisma (I've omitted some fields for simplicity sake)

type User {
  id: ID! @id
  name: String!
  email: String! @unique
  password: String!
}

schema.graphql (just showing the signUp Mutation for simplicity)

type Mutation {
  signUp(email: String!, password: String!, name: String!): User!
}

SignUp.js (where I access the signUp Mutation exposed in schema.graphql)

const SIGNUP_MUTATION = gql`
  mutation SIGNUP_MUTATION(
    $email: String!
    $name: String!
    $password: String!
  ) {
    signUp(email: $email, name: $name, password: $password) {
      id
      email
      name
      password
    }
  }
`

Notice that I am returning id, email, name, and password - this was because I wanted to make sure everything was working in development.

Introducing the `Cannot query field 'password' on type 'User'` error

Once I began working on security and created a special User type in schema.graphql so that I could hide protected fields such as password, that's when I got this issue:

schema.graphql (notice that I am now not exposing the password field on this frontend-facing User type)

type Mutation {
  signUp(email: String!, password: String!, name: String!): User!
}

type User {
  id: ID!
  name: String!
  email: String!
}

Solution

Because of the nature of this error message, I spent most of my morning puzzling over my backend code. But it turned out that the error was actually being caused in SignUp.js, where I was RETURNING the password field.

The solution was to simply remove that line from the list of return fields like so:

const SIGNUP_MUTATION = gql`
  mutation SIGNUP_MUTATION(
    $email: String!
    $name: String!
    $password: String!
  ) {
    signUp(email: $email, name: $name, password: $password) {
      id
      email
      name
    }
  }
`

Key Lessons

So if you're experiencing this issue, please check ALL of your relevant mutations and make sure that you're not returning any fields that you have protected as I described here.
Be sure to also check your frontend code and make sure you aren't trying to return fields that you have now protected and are no longer exposing to the frontend.

I hope this is helpful and saves people some time!

score 1 · Answer 2 · answered May 23 '19 at 13:34

... aaah Prisma ...

I don't know if interfaces, unions or input types are supported. Graphql docs

Prisma generates almost everything ... but defining password as required (as type for DBB generation) for datamodel should not block querying for a type subset or type defined on existing model without using all fields.

For me it's a bit missleading error message. It can be resolver related.

Try to match types in resolver, don't return direct prisma query (operates on model types), but map queried data (an array) to filter out password field/property (to be query type compatible). It's a security concern, too - passwords shouldn't be read from outside.

Yeap, i've created custom query which return a fragment and seems the error gone. — demkovych, May 24 '19 at 07:37

score 0 · Accepted Answer · answered May 24 '19 at 07:38

0

I've created custom query which return a fragment and seems the error gone.

answered May 24 '19 at 07:38

demkovych

7,827
3
19
25

score 0 · Answer 4 · edited Aug 21 '20 at 15:26

0

Just run in your console(in prisma folder):

PRISMA_MANAGEMENT_API_SECRET=mysecret42 prisma deploy

edited Aug 21 '20 at 15:26

Jared Forth

1,577
6
17
32

answered Aug 20 '20 at 19:28

user14139522

1

Cannot query field 'password' on type 'User' graphql

4 Answers4

Set Up

Introducing the Cannot query field 'password' on type 'User' error

Solution

Key Lessons

Introducing the `Cannot query field 'password' on type 'User'` error