Adding a Auth Directive that only allows public access to some fields

Matt_Wardle · September 7, 2022, 3:46pm

Is there any way to just allow public access to some fields from a type? So in the example type below only allow other users to access id and name without giving access to the email?

type User {
  id: ID!
  name: String
  email: String
}

MichelDiz · September 7, 2022, 4:21pm

That’s not possible as far as I know.

jdgamble555 · September 7, 2022, 4:31pm

It is not currently possible.

You basically have two work arounds:

Create two User types, one with public, one with private info
Lock the whole type from view, and create a custom dql query to query only what you want to be visible

J

Matt_Wardle · September 8, 2022, 8:39am

Thanks for your response. With the two type option could the public node just reference the private one. Or would we have to duplicate the node?

jdgamble555 · September 8, 2022, 10:54am

The private could reference the public but not the other way around. The information would be different, as there would be no need to duplicate data.

J

amaster507 · September 8, 2022, 2:58pm

Another idea in theory is to use an interface where the interface is the public and the implementing is the private. This would mean that the data was on a singular node still. There might be some other gotchas when using this model but in theory it should work.

Poolshark · September 29, 2022, 4:46am

@amaster507 this will not work as expected. If I understood right, then you suggest something like this:

interface Public {
  id: ID!
  name: String
}

type User implements Public 
  @auth(
    # query rules - eg. users can only see their own email
  ){
  id: ID!
  name: String

  email: String
}

In such a scenario you would not be able to run a single user query for type User since @auth rules for the implementation of interfaces are connected with AND. Thus, querying (and applying the assumption that @auth is set so that a user can only query himself)

query User {
  queryUser {
    id
    name
    email
  }
}

# Result
{
  data: {
    queryUser: [
      {
        id: "0x1"
        name: "My User"
        email: "myuser@user.com"
      }
    ]
  }
}

would only give one result - that of the querying user. Running the query via the interface would result in the expected results for all users

query Public {
  queryPublic {
    id
    name
  }
}

# Result
{
  data: {
    queryPublic: [
      {
        id: "0x1"
        name: "My User"
      },
      {
        id: "0x2"
        name: "User 2"
      },
      {
        id: "0x3"
        name: "User 3"
      }
    ]
  }
}

So, at least in my understanding, the only way of having a single user query with the expected field protection is either via a @custom DQL query if you only care about query protection, or, if you need a more sophisticated approach (eg. including mutations), via custom lambda resolvers.

Topic		Replies	Views
GraphQL Auth on predicates GraphQL kind:question	11	1658	December 29, 2021
Using @auth on individual fields? GraphQL auth , status:accepted , kind:feature	19	2557	December 2, 2021
Restrict visibility of graphql mutation and queries GraphQL	4	931	July 30, 2020
Feature Request: Add Directive for controlling Anonymous Access GraphQL kind:feature	0	429	October 25, 2021
Combining @secret and @auth directives GraphQL kind:question	6	1237	November 5, 2020

Adding a Auth Directive that only allows public access to some fields

Related topics