Apollo-server: Async context

Granted, I am no expert. But, is accessing data really an all or nothing thing, ever? I would venture to say, in most cases, probably not. If it is a web application, there is always going to be something available to view even for an anonymous user at some point. Thus yes, resolvers should individually check on "viewable" permissions. And, in general, most resolvers should be asynchronous too, so data can be fetched in parallel saving time. So, I think what you call a workaround is the solution. 😄

Rejection of the user up front should be done in your authentication process.

This is a great article on the subject.

https://dev-blog.apollodata.com/a-guide-to-authentication-in-graphql-e002a4039d1

Scott

Hi @smolinari, appreciate the comments (and link) but:

1). What do you mean by rejection of the user up front? Anything can make an XMLHTTP POST call to the /graphql endpoint; you could use curl from your laptop. The endpoint needs to be securely authenticated.

2). A GraphQL query may invoke many resolvers, so doing this check for each seems expensive (the JWT decoder will cache the token, but it seems like the wrong place to do this check).

OK, so I think I figured out a better way using async/await.

~~~~
function getUser(request) {
return new Promise() { DO ASYNC HERE };
}

router.use(''graphql', graphqlExpress(async function(request) {
let user = await getUser(request)
return {
context: { user }
}
}));
~~~~

What do you mean by rejection of the user up front?

I meant, if a user needs to be authenticated, that step should have been done, before the request is passed on to GraphQL.

2). A GraphQL query may invoke many resolvers, so doing this check for each seems expensive (the JWT decoder will cache the token, but it seems like the wrong place to do this check).

If the user is already authenticated, then it would be a validated user passed into the resolvers. There is no more checking on the user's authenticity at the resolver level. What happens next in the resolver is business logic for authorization to answer the question, "can this particular user see the data available through this resolver?" That question most definitely needs to be answered at that point too, and for each resolver (except the case of a completely public API).

Scott

@richburdon you can return a promise for an options object instead of an options object.

From the docs:

Alternatively, GraphQL Server can accept a function which takes the request as input and returns a GraphQLOptions object or a promise that resolves to one

Thanks very much @helfer I missed that.

@helfer: can you link to where you found that, or better yet, to today's doc? Googling for "Alternatively, GraphQL Server can accept a function which takes the request as input and returns a GraphQLOptions object or a promise that resolves to one" find this issue as the best match.

Here is that info from the docs: https://www.apollographql.com/docs/apollo-server/data/resolvers/#the-context-argument

Context initialization can be asynchronous, allowing database connections and other operations to complete:

context: async () => ({
  db: await client.connect(),
})