I’m not sure how i should implement programmatic access control to a given resource.
For example, i only want users who have a specific data attribute to be able to consume a specific resource. This goes beyond “roles”, it’s literally executing business logic to determine access.
For example, how can i leverage @custom to determine if a user has access to a resource and return an error of sorts, or a custom payload, if the @custom directive’s result doesn’t grant access to the requested resource?
It would be nice to see this as a code example somewhere
In if it were about user roles, i’d agree that its an ACL issue. But it’s more about determining at runtime if the resource is authorized or not by executing arbitrary business logic.
I’m not trying to “cheap out of enterprise” here, its just a different usecase.
In essence, can i build a custom resolver for some endpoint that allows me to return whatever the logic determines to be fit for purpose? I have the feeling that @Custom is more appropriate? But thats just a hunch.
Although, there is no way to combine @auth and @custom on a single field at present. But, as @amaster507 said you can always let your external @custom API handle that logic by forwarding the JWT. The external API can decide based on the JWT what response it should return. And your external API can also just be Dgraph’s GraphQL API where you can have @auth as pointed by @amaster507
Is there any way to correctly format or forward errors when the authentication at the custom endpoint fails? Now you get:
{
"errors": [
{
"message": "Evaluation of custom field failed because external request returned an error: unexpected status code: 401 for field: getCustomQuery within type: Query.",
...
]
}
],
...
}