search

exAspArk / graphql-guard

Simple authorization gem for GraphQL :lock:
MIT License
472 stars 36 forks source link

Hiding unauthorized fields from introspection? #14

Closed lsanwick closed 6 years ago

lsanwick commented 6 years ago

Looking at the docs and other issues I don't think I've seen an exact question like mine, so here goes:

Is there a way to hide a field from introspection if the user is unauthorized to see it? I'd like to have a schema that mixes public and internal fields, and hides the internal fields completely from external users of the application. Is this possible?

exAspArk commented 6 years ago

Hey @lsanwick!

Thanks for opening the issue. Yeah, the concept of hiding some of the GraphQL fields is usually called schema-masking.

I was thinking about implementing it with the graphql-guard gem. The API, however, will probably be a little bit different. The primary difference is that during the introspection there are no field objects and arguments, only context.

One of the potential implementation:

QueryType = GraphQL::ObjectType.define do
  name "Query"

  field :posts, !types[!PostType] do
    argument :user_id, !types.ID
    mask ->(ctx) { ctx[:current_user].admin? } # <= NEW
    guard ->(obj, args, ctx) { args[:user_id] == ctx[:current_user].id }
  end
end

or

Schema = GraphQL::Schema.define do
  query QueryType
  use GraphQL::Guard.new(mask_object: GraphqlMask) # <= NEW
end

Please let me know what you think about it :)

exAspArk commented 6 years ago

I released the option to mask specific fields in version 1.1.0 https://github.com/exAspArk/graphql-guard#schema-masking :)