Don't return unauthorized fields

[BryceDalbey]

@hayes Though I know you hear it often I still feel the need to thank you for what you've done with Pothos. It really is incredible.

I'm using the Auth plugin (and Prisma) and would like to respond to requests for unauthorized fields by not including those fields in the response. I know things like this have been discussed (e.g. graphql/graphql-js#1298, graphql/graphql-spec#906) but I haven't found a good workaround. So I'm throwing a hail mary: is there some way of doing this with pothos?

It appears that unauthorizedResolver return values (including undefined and void) get serialized to null if they aren't of the field type but I can't use null as the unauthorized value for many fields since it often signifies an empty value. Plan b is to use a different special value for each field type (e.g. 'unauthorized' for string fields, -999999 for int fields, etc) but I'd prefer to simply not include them if that is possible.

Any help or advice would be very much appreciated. Thanks again.

[hayes]

Unfortunately this isn't something that can be done in GraphQL in a spec compliant way. That being said, it's something you could do outside of pothos. I'm not sure it's a good idea, but if you want to go down this road, here is an option:

• Add an unauthorizedFields array or something to you context object
• In your unauthorized resolver push the path from the info object into the list of unauthorized fields and return null
• Write a plugin for you server (Envelop for yoga, apollo has their own plugin system) that loops over the collected unauthorized fields and deletes them from the response.

This pattern isn't something I would recommend, but hopefully that helps give you an idea of how it could be done if you want to build something like this your self.

[BryceDalbey]

Thanks for this. Could you say a little about why you wouldn't recommend this?

[hayes]

If you remove requested fields from the response, you are violating the GraphQL spec. Graphql expects that you return data of the exact shape you requested

[BryceDalbey]

Thanks. If I do go this way, is it possible to set a default unauthorizedResolver in the builder? I get a type error when adding it in scopeAuthOptions.

[hayes]

not currently, but PRs are welcome!