UNPKG

@envelop/operation-field-permissions

Version:

Disallow executing operations that select certain fields. Useful if you want to restrict the scope of certain public API users to a subset of the public GraphQL schema, without triggering execution (e.g. how [graphql-shield](https://github.com/maticzav/gr

github.com/n1ru4l/envelop

n1ru4l/envelop

71 lines (57 loc) 1.52 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
## `@envelop/operation-field-permissions` Disallow executing operations that select certain fields. Useful if you want to restrict the scope of certain public API users to a subset of the public GraphQL schema, without triggering execution (e.g. how [graphql-shield](https://github.com/maticzav/graphql-shield) works). **Note:** This plugin and authorization on a resolver level (or via middleware) are complementary. You should still verify whether a viewer is allowed to access certain data within your resolvers. ## Installation ```bash yarn add @envelop/operation-field-permissions ``` ## Usage Example ```ts import { parse, validate, execute, subscribe } from 'graphql' import { envelop, useSchema } from '@envelop/core' import { useOperationFieldPermissions } from '@envelop/operation-field-permissions' const getEnveloped = envelop({ parse, validate, execute, subscribe, plugins: [ useSchema(schema), useOperationFieldPermissions({ // we can access graphql context here getPermissions: async context => new Set(['Query.greetings', ...context.viewer.permissions]) }) /* ... other envelops */ ] }) ``` **Schema** ```graphql type Query { greetings: [String!]! foo: String } ``` **Operation** ```graphql query { foo } ``` **Response** ```json { "data": null, "errors": [ { "message": "Insufficient permissions for selecting 'Query.foo'.", "locations": [ { "line": 2, "column": 2 } ] } ] } ```