@envelop/operation-field-permissions
Disallow executing operations that select certain fields. Useful if you want to restrict the scope of certain public API users to a subset of the public GraphQL schema, without triggering execution (e.g. how graphql-shield works).
Note: This plugin and authorization on a resolver level (or via middleware) are complementary. You should still verify whether a viewer is allowed to access certain data within your resolvers.
Installation
yarn add @envelop/operation-field-permissionsUsage Example
import { execute, parse, specifiedRules, subscribe, validate } from 'graphql'
import { envelop, useEngine, useSchema } from '@envelop/core'
import { useOperationFieldPermissions } from '@envelop/operation-field-permissions'
const getEnveloped = envelop({
plugins: [
useEngine({ parse, validate, specifiedRules, execute, subscribe }),
useSchema(schema),
useOperationFieldPermissions({
// we can access graphql context here
getPermissions: async context => new Set(['Query.greetings', ...context.viewer.permissions])
})
/* ... other envelops */
]
})Schema
type Query {
greetings: [String!]!
foo: String
}Operation
query {
foo
}Response
{
"data": null,
"errors": [
{
"message": "Insufficient permissions for selecting 'Query.foo'.",
"locations": [
{
"line": 2,
"column": 2
}
]
}
]
}