strawberry icon indicating copy to clipboard operation
strawberry copied to clipboard

Published 20 hours ago β€’ verified publisher icon strawberry-graphql

Add runtime features to schema directives

Open lfvarela opened this issue 2 years ago β€’ 7 comments

Currently directives only act as "tags", ideally they would support custom functionality. For example, we'd like to check that a specific request header is set when calling mutations with a given directive.

lfvarela avatar Mar 03 '22 02:03 lfvarela

I've changed the title to be focused on schema directives :)

Client directives are already used at runtime ☺️

Can you all add some use cases for this?

patrick91 avatar Mar 03 '22 16:03 patrick91

Great one would be Apollo's APQ (https://www.apollographql.com/docs/apollo-server/performance/apq/). Build middleware for it πŸ‘―

basvandriel avatar Mar 03 '22 17:03 basvandriel

@basvandriel how would that work? from what I see in those docs you add some directives and then you add a plugin. The directives don't do anything alone, right?

patrick91 avatar Mar 03 '22 17:03 patrick91

@patrick91 As far as I understand, query results are not cached, just the query string to improve improvements. Also has it's security reasons imo. It sends the queries in a sha256 hash. See the diagram in the link

basvandriel avatar Mar 03 '22 17:03 basvandriel

The main use case for me is applying permissions, but have those permissions be visible to the client so that the client knows what headers to send or under what scopes they can access such mutations, without having to look at backend code.

One implementation option or additional idea could be to extend BasePermission to be linked to a directive.

lfvarela avatar Mar 03 '22 20:03 lfvarela

Hey guys,

Joining the conversation here to add my thoughts.

There are some interesting use cases for schema directives that have runtime functionality. For example, I expanded the current schema directive in strawberry-django-plus (https://github.com/blb-ventures/strawberry-django-plus/blob/master/strawberry_django_plus/directives.py) to be able to add runtime permission checking: https://github.com/blb-ventures/strawberry-django-plus/blob/master/strawberry_django_plus/permissions.py

One interesting feature of this approach is that they get printed to the schema, so someone consuming it can parse it to retrieve some extra info. E.g. the frontend guys that work with me parses our schema and checks for the permissions there. Knowing the current user's permissions they can add @include/@skip directives to avoid querying a field that they know they will not have permission for (and even if they did, the runtime functionality would not allow it).

bellini666 avatar Mar 13 '22 15:03 bellini666

Useful!

eugeneyalansky avatar Jun 06 '22 11:06 eugeneyalansky