Need to inject data into a request from clients that cannot be trusted. Please help on how to do this?

I’m in the process of setting up an application where I cannot trust the clients to send legit data, and don’t want to expose some data to the clients. As such, some of the business logic will need to be executed on the serverside, and this logic will inject additional data into the individual queries.

This was solved in the graphql-asia-workshop demo, but there were issues with the schema in that code.

What is the current suggestion for implementation of such logic?

Furthermore, i also don’t want to expose the entire set of CRUD operations to all clients, but rather pick and choose what is exposed. This should also mitigate some security issues.


1 Like

Hi @davidLeonardi, have you had a chance to look at custom directives in dgraph? Please check out the custom mutation directive that can help run that additional logic.

So as i understand, I’m supposed to take a request, and use @custom to request data from another API and have that return data.
This, in contrast to using apollo custom resolvers and schema stitching?

Yes @davidLeonardi, that’s how we can handle custom mutation that requires control on fields.

Please also review the option around custom resolvers specific for graphql endpoints. Search for “Calling GraphQL custom resolvers” in the doc. This provides the option of not writing a call to a graphql api yourself but instructing the directive to call your graphql directly (sort of a graphql bridge).