gqlify icon indicating copy to clipboard operation
gqlify copied to clipboard
verified publisher icon Gqlify

Remove some mutations or queries for a specific model

Open wwwy3y3 opened this issue 7 years ago • 5 comments

Describe the solution you'd like Remove some mutations or queries for a specific model

Describe alternatives you've considered Maybe add directives to model like

type User @queryOnly {
  name: String
}

and mutation plugins will know that it's a queryOnly model, hence skip mutation generation.

wwwy3y3 avatar Dec 06 '18 07:12 wwwy3y3

hey! thanks for a nice library! I tried it out on a new project but since it forces me to expose my whole database via graphql I dont see how it could be practical for any solution with users that are not also admins. Am I doing something wrong?

stilren avatar Jan 03 '19 14:01 stilren

hi @stilren

Yes, currently, GQLify simply exposes your database as an API.

For user-based application or role-based access control application, it's best practice to separate an authentication layer (using graphql-middleware) to deal with it. Right now, you'll have to deal with middlewares by yourself.

The good news is: we've already thought a lot about this and currently working on it. We'll come up with solutions and tutorials allows you to add user-based graphql query like below:

me {
  books {id name}
  groups {id name}
}

We'll provide API to extend graphql Query type and you'll be able to write resolver to interact with data-sources by yourself with the user token you put in the request header.

Also authentication directives (@protect) you can use without dealing with middleware by yourself like the following:

type Category @GQLifyModel(dataSource: "firebase", key: "Category") @protect(role: ADMIN) {
  id: ID! @unique @autoGen
  name: String!
  books: [Book]
}

The actual directives and usage might change when we release it. I'll mention the release in this thread once we finish this feature.

wwwy3y3 avatar Jan 07 '19 05:01 wwwy3y3

Will the @protect directives be implemented per datasource? Will @protect(role: ADMIN) generate the firestore security rules for that resource? Or is there a plan to utilise pre-existing firestore security rules?

jthegedus avatar Jan 07 '19 21:01 jthegedus

@jthegedus the authentication directives will not be data-source specific, thus, it will not generate firestore security rules. It's going to create graphql middleware with the specified authentication rules and apply to graphql server instead.

Since we're using firebase-admin, it will bypass all security rules.

wwwy3y3 avatar Jan 08 '19 02:01 wwwy3y3

@wwwy3y3 Any updates on this?

davidgustys avatar May 06 '19 12:05 davidgustys