useOperationFieldPermissions

useOperationFieldPermissions

Package nameWeekly DownloadsVersionLicenseUpdated
@envelop/operation-field-permissionsDownloadsVersionLicenseOct 16th, 2023

@envelop/operation-field-permissions

Disallow executing operations that select certain fields. Useful if you want to restrict the scope of certain public API users to a subset of the public GraphQL schema, without triggering execution (e.g. how graphql-shield works).

Note: This plugin and authorization on a resolver level (or via middleware) are complementary. You should still verify whether a viewer is allowed to access certain data within your resolvers.

Installation

yarn add @envelop/operation-field-permissions

Usage Example

import { execute, parse, specifiedRules, subscribe, validate } from 'graphql'
import { envelop, useEngine, useSchema } from '@envelop/core'
import { useOperationFieldPermissions } from '@envelop/operation-field-permissions'
 
const getEnveloped = envelop({
  plugins: [
    useEngine({ parse, validate, specifiedRules, execute, subscribe }),
    useSchema(schema),
    useOperationFieldPermissions({
      // we can access graphql context here
      getPermissions: async context => new Set(['Query.greetings', ...context.viewer.permissions])
    })
    /* ... other envelops */
  ]
})

Schema

type Query {
  greetings: [String!]!
  foo: String
}

Operation

query {
  foo
}

Response

{
  "data": null,
  "errors": [
    {
      "message": "Insufficient permissions for selecting 'Query.foo'.",
      "locations": [
        {
          "line": 2,
          "column": 2
        }
      ]
    }
  ]
}