Allow-List Operation Fields

💡

This page is currently under construction and expected to change. Please feel free to reach out to us directly in case you are having any troubles.

With this plugin you can automatically reject GraphQL operations that include specific field selections within the operations selection set. It works by extracting a set of schema coordinates from the context object. A custom validation rule will verify whether the selection only includes allowed selections and prevent the execution of the operation if it encounters any prohibited selections.

This plugin is perfect for use-cases where you want the whole schema being introspectable, but restrict access to a certain part of the Graph only to specific users. E.g. in a payment subscription model, where API users should only have access to the data that is included within the plan.

Basically, it disallows executing operations that select certain fields. It is useful if you want to restrict the scope of certain public API users to a subset of the public GraphQL schema, without triggering execution (e.g. how graphql-shield works).

How to use?

npm install @envelop/operation-field-permissions

pnpm add @envelop/operation-field-permissions

yarn add @envelop/operation-field-permissions

bun add @envelop/operation-field-permissions

Then, add it to your plugins:

mesh.config.ts

import { useOperationFieldPermission } from '@envelop/operation-field-permissions'
import { defineConfig } from '@graphql-mesh/serve-cli'
 
export const serveConfig = defineConfig({
  plugins: pluginCtx => [
    useOperationFieldPermission({
      // we can access graphql context here
      // `context` has `request` object that includes `headers` etc.
      // See [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) for more information
      getPermissions: async context => new Set(['Query.greetings'])
    })
  ]
})

Generic Auth Subscriptions