Apollo-server: Document validationRules option

Created on 14 Feb 2017  路  5Comments  路  Source: apollographql/apollo-server

Currently, all the documentation tells us is that you can pass an array of functions to the validationRules option, e.g. of graphqlExpress.

I couldn't find any place as to how those functions work, i.e. what is their input and required output etc.

I found this test that appears to show one possible scenario:
https://github.com/apollographql/graphql-server/commit/b2279fd9f09109f28ff69527af9d0a9f298c66ae#diff-365e99414d1d9cf4b99921b2dd25bf7fR380

So I assume the functions needs to return an object with an enter() property?

I am trying to authorise queries based on what data they queried for, and it looks like this would be the right place to do it (so I don't have to add auth logic to every single resolver).
But some clarification is definitely needed here.

Thanks.

picture batjko
👍4

Most helpful comment

But, what about the validationRules documentation? What is its purpose and how to use it?

picture yuricamara on 20 Aug 2017
👍5

All 5 comments

@batjko query validation is definitely not the right place to do permissions logic. Validation is a well-defined step in GraphQL execution as defined by the spec, which is only supposed to check if the query is a valid query string.

To put it a different way, the expectation is that a query only needs to be validated once for all users, so the validation outcome shouldn't change per user.

stubailo picture stubailo on 14 Feb 2017
👍1

Ah, that explains the lack of documentation. I suppose it's not obvious to me what part of Apollo's various packages' APIs are essentially handed through from graphql-js.

Ok thanks for clearing that up, @stubailo. I'll stick the auth logic into the resolvers then.

batjko picture batjko on 14 Feb 2017

Hi,

I've been trying different places where I could put the authorization logic, and the validation is the only point where is perfect, so it's not spread all over the graphql resolvers.

From my point of view, validation can be used to do all kinds of validations your server/logic needs to perform, even the permission check.

It's a central point that can be easily isolated, changed and with no impact on other components if the validation logic or authorization system change.

This said, and in order to avoid these kind of discussions, I really think the GraphQL should define one or more places where the authorization should be performed, and ideally as an isolated component, not spread all over the resolvers to minimize change impact.

That's my point of view, of course ;)

Carlos

cdelgadob picture cdelgadob on 23 Jun 2017
👍2

But, what about the validationRules documentation? What is its purpose and how to use it?

yuricamara picture yuricamara on 20 Aug 2017
👍5

Not looking to reopen this issue, but for the others who are curious about how these rules work and end up here: validationRules are part of the core graphql library. You can find their implementation here (with helpful comments documenting usage):

https://github.com/graphql/graphql-js/blob/master/src/language/visitor.js#L139

For examples, see this directory containing the core rules that are applied:

https://github.com/graphql/graphql-js/tree/master/src/validation/rules

jasonphillips picture jasonphillips on 6 Mar 2018
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Magneticmagnum picture Magneticmagnum  路  3Comments
bchehraz picture bchehraz  路  3Comments
stevezau picture stevezau  路  3Comments
dobesv picture dobesv  路  3Comments
mathroc picture mathroc  路  3Comments