gqlgen icon indicating copy to clipboard operation
gqlgen copied to clipboard

Published 20 hours ago verified publisher icon 99designs

Conditionally removing fields from introspection based on auth

Open vektah opened this issue 5 years ago • 18 comments

Enable consuming apps with different application roles to generate clients with only the methods they have access to.

Note there is terminology overlap here between the end user role and the application role. Each end user would probably still see the same view of the graph.

vektah avatar Oct 13 '18 02:10 vektah

I'm interested in hiding certain fields/queries/mutations from the schema introspection depending on whether the user is authenticated or not, and varying based on roles. Am I right in thinking that this issue relates to doing something like that?

saward avatar Dec 01 '18 05:12 saward

@saward correct.

mathewbyrne avatar Dec 02 '18 21:12 mathewbyrne

@vektah @mathewbyrne was looking through the introspection code - would it make sense to add a directive that allows disabling of fields and inputs in the schema similar to how deprecated is currently handled?

If so, think this would be a quick win we'd be able to help out with. Let me know and someone on our team can allocate some time in the next few days to solve this

sdalezman avatar Mar 18 '19 16:03 sdalezman

I think a specific directive is probably not the right way to implement this; @deprecated is special in that it is a built-in directive from the spec and field deprecation is also a feature from the spec.

So I think this feature needs to be thought out a little more. Currently the only input into introspection is the parsed schema, so I imagine there might be some sort of additional input here that introspection exports so allow granular control of which types are exposed (maybe?). If you guys are keen to address this I'd love to see a proposal.

mathewbyrne avatar Mar 18 '19 21:03 mathewbyrne

That's a good point regarding directives - reason I reached for adding a built in directive is that it would be embedded in the workflow of a developer.

I think the other option would be to introduce another key in gqlgen so that we can specify the fields/input to be excluded from introspection. I think this would be a happy medium and fit into the overall workflow of gqlgen. I don't think this should be something that's introduced in the options to GraphQL. To me the GraphQL instantiation is something that should change very infrequently and isn't part of my day to day workflow as a developer.

The nice part of introducing a new key to gqglen is it's already part of my existing workflow (whenever I define queries I always think about 1. updating schema 2. any updates that need to happen to gqlgen.yml).

I can understand not wanting to "pollute" gqlgen, but maybe it becomes a new key under schema called disableIntrospection and it would include a list of fields and inputs to be disabled? That would fit very cleanly into existing workflows I think.

If that works for you we can map out the code updates itself to facilitate that update.

sdalezman avatar Mar 19 '19 14:03 sdalezman

FWIW I still think this could be exposed as a directive to the end developer, probably through a plugin. But that means that introspection cannot look specifically for a named directive, so you'd need to expose this through configuration as you've described above.

I think this sounds like a reasonable approach, there would be a bit of work involved to inject this configuration into introspection but it doesn't seem too crazy. Keen to get some input from @vektah here as well.

mathewbyrne avatar Mar 19 '19 21:03 mathewbyrne

That makes sense! Am curious to get that feedback as well - definitely something that's becoming a larger priority for our team. Thanks!

sdalezman avatar Mar 25 '19 18:03 sdalezman

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 28 '19 05:08 stale[bot]

I'm still interested in this.

saward avatar Aug 28 '19 05:08 saward

yeah, I found this Issue now. I have some interest in.

vvakame avatar Oct 08 '19 08:10 vvakame

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 07 '19 08:12 stale[bot]

👀

vvakame avatar Dec 08 '19 02:12 vvakame

interested in this too

jinxmcg avatar Jan 03 '20 18:01 jinxmcg

Any updates on this issue?

AienTech avatar Jun 22 '20 22:06 AienTech

@vektah Any updates on this? We are also interested with this feature.

sumanthakannantha avatar Aug 10 '20 12:08 sumanthakannantha

:eyes:

nsemikov avatar Aug 10 '20 15:08 nsemikov

We are desperately waiting for this feature

degarajesh avatar Aug 12 '20 08:08 degarajesh

This can be implemented as a plugin.

https://github.com/ec2-software/gqlgen-introspect-filter/blob/v0.1.0/introspection_filter.go

It uses GQLGen middleware around all fields to check if the field is returning a list of introspection types, and filters them down based on a configurable function.

The package also implements a second plugin to sort results to work around #1497

It could be made smarter to automatically filter out fields that use types that are filtered out, etc.

duckbrain avatar Apr 09 '21 20:04 duckbrain