0

I have a GraphQL API that is governed by a permission system that I implemented.

I tried going with Graphql-shield but I didn't want to error out on the whole request if the client requests a forbidden field, so instead I implemented my own permission system.

Now, I need to solve a problem:

The way I implemented the permission system means that every field is checked if it is permitted and if it is not then null is returned. However, I would like to return some indication that the field was not actually null but that the field was "not permitted".

I thought about doing it in two ways:

  • During each check I append to some query-wide variable all fields that are not accessible and return it along with the query (probably in some middleware of some sort)
  • I extend all of the objects in my schema with a "permitted" field in which I return the value of the permission

Any suggestions ?

popololvic
  • 75
  • 7

1 Answers1

1

IMHO not worth the effort ... api faq or docs (available in graphiql/playground) can contain notice about 'unexpected null', ACL resons etc. It's enough for majority of use cases.

If you still want to include some [debug] info in response extensions are for that, f.e. https://github.com/apollographql/apollo-tracing , - in this case:

  • just attach a list of 'field access denied' [structured] notices;
  • collect them (in/from resolver) in some context object, attach in middleware (?), before overal response return;

Make it configurable (debug mode), too.

xadm
  • 8,219
  • 3
  • 14
  • 25