spring-graphql icon indicating copy to clipboard operation
spring-graphql copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Hide parts of schema

Open Sam-Kruglov opened this issue 3 years ago • 5 comments

Hi, just highlighting for consideration, I think it would be useful to hide certain parts (fields, types) of the schema based on authorization. There are some uses of it if you google "graphql hide fields". I personally haven't used this feature.

Sam-Kruglov avatar Apr 25 '22 01:04 Sam-Kruglov

You can create a SchemaMapping for the fields and return null / empty if the user don't have permission.

MiguelAngelLV avatar Apr 28 '22 18:04 MiguelAngelLV

Thanks for raising this. It seems quite related to #116 although it's not entirely clear whether the same directives would be used for this as well or whether hiding would have to be expressed differently. More generally if defining authorization should result in field errors or those errors simply being hidden. /cc @rwinch

It's also not clear to me what should be hidden? We have the schema printing endpoint that returns the full schema. There is GraphQL introspection that could be used. There are GraphQL responses as well. Anything else? I imagine any hiding mechanism should cover all of those or otherwise it's not really hiding it.

Any further details around the actual use case and needs would be helpful to hear and keep in mind. Some examples from real world APIs could also be worth checking (GitHub's comes to mind as having such a feature).

rstoyanchev avatar May 05 '22 10:05 rstoyanchev

I imagine the usecase is to have certain fields/types appear as if they don’t exist in the schema for the user who doesn’t have permission to see them. Must not disclose the permission requirements to the user.

Sam-Kruglov avatar May 05 '22 16:05 Sam-Kruglov

It sounds like this should be enforced at the schema printing level and introspection level at least. When it comes to responses themselves, nulling out a field that's not marked as nullable in the schema will cause issues.

Back to the use case itself, it seems that this can be useful for:

GraphQL Java seems to support that through field visbility and other frameworks do too.

bclozel avatar May 05 '22 17:05 bclozel

Are there any relevant conclusions available? It seems that this feature would be helpful to me.

Jamel-jun avatar Feb 19 '24 01:02 Jamel-jun