Handling Privacy in GraphQL/Relay

2
votes

I have an application with users which have many attributes, some of which are public, and some are private by default, and can become public if the user chooses to do so.

How can I handle the fetching of private attributes? I mean, I want that, for instance, if I'll try to fetch all the user's attributes, I'll get all his public attributes, and some null-ish value for his private attributes (and not unauthorized error message).

I also want to somehow override this so the user will have no trouble to fetch all of his data.

2
reactjsgraphqlrelayjsgraphql-js

2 Answers

3
votes

As DARK_DUCK already stated: You would decide what to return for a certain user in the resolve method of the attributes in your GraphQL server side schema.

I save necessary data for user authentication in a cookie. Then I pass this authentication data down to the GraphQL schema in the root value. In the resolve method of private user data I check the access rights and return the appropriate data (null or the actual data).

I made a small example repository on how to handle authentication and private data with relay and graphql. See this file and the posts attribute for a detailed example.

1
votes

The privacy of your fields should be done on the server side.

You can set to null all private attributes in the global resolve function of your User model or add resolve functions in potentially privates attributes.

Then with relay you fetch everything. and I your component you check for null values and display what you want (a Lock for example to indicate that the value is private)

Hope it helps