Laravel Lighthouse: CanDirective: How to define a custom error message?

Question

I have created a custom policy for a model and the policy logic works really well with a GraphQL mutation. I'm just wondering can I somehow pass my custom error message as a GraphQL response?

This is an example of a policy class:

use App\Models\MyModel;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class MyModelPolicy
{
    use HandlesAuthorization;
    
    public function update(User $user, MyModel $my_object)
    {
        if (!$my_object->checkSomething()) {
            // Throws an exception
            $this->deny('My custom error message should be delivered to the GraphQL client..');
        }
        
        return true;
    }
}

But the message in the exception gets discarded:

by Laravel 5 here: https://github.com/illuminate/auth/blob/8f0603a1d5b90c045a1ce5365ead0f0ba20fc6ce/Access/Gate.php#L279-L281
or by Laravel 6 (and onward) here: https://github.com/illuminate/auth/blob/478cf31f02831ec45194fec5428f666f85b4f1b0/Access/Gate.php#L277

bhucho · Answer 1 · 2020-08-18T21:21:04.980

You can use try catch to throw your custom response though I personally never use try catch block in model(only in controllers)

public function update(User $user, MyModel $my_object)
    try {
        if (!$my_object->checkSomething()) {
            // Throws an exception
            throw new \Exception('YourCustomException');
            $this->deny('My custom error message should be delivered to the GraphQL client..');
        }
        
        return true;
    }catch (\Exception $e) {
            if ($e->getMessage() == 'YourCustomException') {
                $data = [
                    'status' => 'error',
                    'message' => 'YourCustomException is not authorized.',
                ];
                return response($data, 200);
            }
     }

You can change your status code and message accordingly. Here response() is HTTP response object.

It is not recommended to use status codes other than 200 for GraphQL responses that entered execution. — spawnia, Aug 18 '20 at 15:15

score 0 · Answer 2 · answered Aug 18 '20 at 15:14

Consider https://lighthouse-php.com/master/digging-deeper/error-handling.html#user-friendly-errors.

webonyx/graphql-php offers the GraphQL\Error\ClientAware interface, that can be implemented by Exceptions to control how they are rendered to the client.

By default, given you turned off debug mode, exception messages are not shown to the client.

Since you don't control the thrown message directly when using $this->deny(), you could register an error handler within Lighthouse to recognize the thrown AuthorizationException and convert it to a ClientAware exception.

https://lighthouse-php.com/master/digging-deeper/error-handling.html#registering-error-handlers

How does one turn off debugging mode for Lighthouse? – itsezc Oct 26 '20 at 10:38 — itsezc, Oct 26 '20 at 10:38

Laravel Lighthouse: CanDirective: How to define a custom error message?

2 Answers2