#Field-level Authorization N+1 Solution

1 messages · Page 1 of 1 (latest)

jagged flame
#

I can't find much resources regarding Field-level authorization, more so with the N+1 problem, but if you know of one, please let me know.

Currently, the best way so far I have found with field-level authorization is with this style.

Schema

Type User {
  id: ID
  profile: Profile
  ...
}

type Profile {
  ...
  emailAddress: String
}

Parent User resolver

@ResolveField('profile')
async profile(
  @Parent() parent: User,

  // Type added for the sake of TS. This includes the things I want to pass from the parent to this level. I'm not using @Parent(), because then, I would have to return emailAddress from the parent, and hope that this federation (?) is not broken and this fieldResolver runs. And if it's broken, then it would just return from the parent
  @Context() context: ProfileContext
): Promise<UserProfileWithoutEmail> {
  ...
  const profile = profileDataLoader.loader(parent.id)
  context.emailAddress = profile.emailAddress
  return {
  ...fields except emailAddress, and for someone reason, this doesn't include an id I can use as the dataloader in the ProfileResolver class
  }
}

Child Field to authorize.

@ResolveField('emailAddress')
async emailAddress(
  @Context() context: ReadOnlyProfileContext,

  // From Keycloak. I've set it up to include a permission array
  @AuthenticatedUser() user: AuthenticatedUserType
): Promise<string | null> {
  // Authorization check - users with email view permissions
  // Runs N+1 times
  if (user.permissions.include('emailView')) {
    return context.emailAddress
  }
  return null
}

But as you can see, the auth part runs N+1. It looks alright here because it's only .include(), but what if it's a more complicated auth check?

Is there a guide or a best practice to mitigate N+1 auth checks?

glossy quarry
#

For the n+1 problem in general in graphql you are supposed to use dataloader to batch request

jagged flame
#

I'm already using a dataloader to fetch the data.

I just thought about it, but do you think it's clean/alright to add the auth check in my dataloader so it only runs once, then based on that 1 auth check, filter out the emailAddress before from the dataloader's result.

Then possibly pass the permissions array to the .loda(), right?

Though I'm worried that kind of breaks single responsibility principle, as it would be ideal that the auth mechanism is seen in the emailAddress fieldResolver or at least a glimpse that an auth check is being done.

#

I apologize if this was such a noob question, but up until now, I've only seen dataloader as a way to batch requests to our gRPC service.

I haven't thought of a way to use it in this context.

I'll try to think of it again. Thanks!