Prisma1: automatically inject shortlived (5 minutes) pat in all functions context

Comment by kbrandwijk
_Thursday Sep 07, 2017 at 17:36 GMT_

That doesn't play well with the FR to have more control over the permissions given to a PAT...

Comment by sorenbs
_Thursday Sep 07, 2017 at 18:47 GMT_

That's correct @kbrandwijk

We need a mechanism to specify the pat given to a function context. What do you think of something like this?

functions:
  authenticteCustomer:
    handler:
      code:
        src: ./code/authenticate.js
    context:
      rootToken: authenticate
    type: schemaExtension
    schema: ./code/authenticate.graphql

rootTokens:
- authenticate

Would it make sense to automatically inject a short lived token unless a rootToken has been specified in the graphcool.yaml file?

This would allow detailed control when you need it and enable a seamless workflow for when you don't care too much about it.

@sorenbs I would like to make this behavior explicit. After all, we're talking about providing a token with unlimited permissions. This should be a conscious action, not something that 'just' happens.

Related: can we also include a way to specify I want to run a function under the user context (so getting the token from the caller?) Seems like a great opportunity, based on the proposed syntax.

Something like:

context:
      includeCallerContext: true
      rootToken: authenticate

Do you think there would be scenarios where you need both a rootToken and the user token? Do you think there would be any harm in always including the userToken?

I think more control is nice, think about invoking external webhooks. Could we have more context related information controllable like that? (see #219)

@sorenbs No, I don't think it would hurt to always include the userToken. And yes, I can think of a lot of them.

@marktani Yes, this could also provide the opportunity to expose variables/secrets/anything to a function. Preferably environment variables (I think I created another FR for that in the channel).

Update: can't find the PR.

The idea was that you could add your own variables to the environment file, and reference them in the project file, so the right variables would be added to the context, depending on which env you're deploying to.
.graphcoolrc:

default: dev
environments:
  dev:
    projectId: cj.....
    version: 85
    GOOGLE_API_KEY: 'abcde'
  test:
    projectId: cj.....
    version: 8
    GOOGLE_API_KEY: 'cdefg'

graphcool.yml:

functions:
  MyFunction:
     ...
     context: ['GOOGLE_API_KEY', ...]

And maybe also inline variables:

functions:
  MyFunction:
     ...
     context: 
        variables:
            - GOOGLE_API_KEY
            - SOME_OTHER_ENV_VAR
            - InlineVar: 'Value'
        rootTokens:
            - myFunctionPat

And dependencies?

functions:
  MyFunction:
     ...
     dependencies:
        - [email protected]

further discussed in https://github.com/graphcool/graphcool/issues/219.