search

Gqlify / gqlify

An API integration framework using GraphQL
https://www.gqlify.com
Apache License 2.0
178 stars 16 forks source link

Remove some mutations or queries for a specific model #23

Open wwwy3y3 opened 5 years ago

wwwy3y3 commented 5 years ago

Describe the solution you'd like Remove some mutations or queries for a specific model

Describe alternatives you've considered Maybe add directives to model like

type User @queryOnly {
  name: String
}

and mutation plugins will know that it's a queryOnly model, hence skip mutation generation.

stilren commented 5 years ago

hey! thanks for a nice library! I tried it out on a new project but since it forces me to expose my whole database via graphql I dont see how it could be practical for any solution with users that are not also admins. Am I doing something wrong?

wwwy3y3 commented 5 years ago

hi @stilren

Yes, currently, GQLify simply exposes your database as an API.

For user-based application or role-based access control application, it's best practice to separate an authentication layer (using graphql-middleware) to deal with it. Right now, you'll have to deal with middlewares by yourself.

The good news is: we've already thought a lot about this and currently working on it. We'll come up with solutions and tutorials allows you to add user-based graphql query like below:

me {
  books {id name}
  groups {id name}
}

We'll provide API to extend graphql Query type and you'll be able to write resolver to interact with data-sources by yourself with the user token you put in the request header.

Also authentication directives (@protect) you can use without dealing with middleware by yourself like the following:

type Category @GQLifyModel(dataSource: "firebase", key: "Category") @protect(role: ADMIN) {
  id: ID! @unique @autoGen
  name: String!
  books: [Book]
}

The actual directives and usage might change when we release it. I'll mention the release in this thread once we finish this feature.

jthegedus commented 5 years ago

Will the @protect directives be implemented per datasource? Will @protect(role: ADMIN) generate the firestore security rules for that resource? Or is there a plan to utilise pre-existing firestore security rules?

wwwy3y3 commented 5 years ago

@jthegedus the authentication directives will not be data-source specific, thus, it will not generate firestore security rules. It's going to create graphql middleware with the specified authentication rules and apply to graphql server instead.

Since we're using firebase-admin, it will bypass all security rules.

davidgustys commented 5 years ago

@wwwy3y3 Any updates on this?