Skip to content

GraphQL endpoint with basic queries

Tamlyn Rhodes requested to merge graphql-types into master

Changes

  • GraphQL type definitions for built in types
  • GraphQL queries and resolvers for CRUD
  • Authsome permissions check and results filter for each type
  • GraphiQL endpoint
  • Load extra type defs and resolvers from components and/or from config

This doesn't affect the existing REST functionality and can exist alongside.

Authorization

The arguments passed to authsome.can have changed since they were tied to REST semantics.

It is now called several times for each node:

  1. can(userId, 'read', 'collections') uses a verb and the entity name (eventually table name). It throws with an authorization error on failure.
  2. can(userId, 'read', collection) uses the same verb and the actual entity loaded from the DB. If the node returns several entities, this is called once for each. If this check fails it behaves exactly as if the entity did not exist, i.e. it is silently removed from a list of all entities or it throws a not found error if requested by ID.

Notes:

  • Not using URLs means it is easier to implement type 1 auth checks on client side. Type 2 auth checks cannot happen on client side.
  • DataLoader instance can be shared between authsome and resolvers avoiding unnecessary DB queries.

Closes #317 (closed)

Edited by Tamlyn Rhodes

Merge request reports