graph-gophers / graphql-go

GraphQL server with a focus on ease of use
BSD 2-Clause "Simplified" License
4.65k stars 492 forks source link

Question on query string parsing #581

Closed danny-xx closed 1 year ago

danny-xx commented 1 year ago

The func for parsing query string is located under /internal package: https://github.com/graph-gophers/graphql-go/blob/master/internal/query/query.go#L18-L28

Is there any concern for exposing this functionality to consumers?

Here's my example use case for justification:

type Query {
    queryA: String!
    queryB: String!
    public: PublicQuery
}

type PublicQuery {
    queryC: String!
    queryD: String!
}

I want to skip authorization validation in middleware for any "public" queries. For example:

query getPublicQueryC {
    public {
        queryC
    }
}

In order to do this, I want to

  1. parse the query string in middleware
  2. check if the selections for this operation meets the "public" requirements
  3. skip authorization validation middleware if that's the case

Is this the proper way for checking specific query groups? I would appreciate it if anyone has better ideas!

Thanks in advance!

pavelnikolov commented 1 year ago

Hi @danny-xx I would recommend declarative authorization whenever possible. Luckily, it is already possible to do this in the master branch. Check this directive example. In addition to that in v1.7.0 it will be possible to access the AST of the query and see all the fields and operations there.