graphqlgraphcool

authenticate user and serve only their related data


I have a schema in graphcool with these nodes (not sure what the correct term is here... leaf? node? model? type??)

type User @model {
  auth0UserId: String @isUnique
  createdAt: DateTime!
  id: ID! @isUnique
  userIdentifier: String
  bundleIdentifier: String
  updatedAt: DateTime!
  devices: [Device!]! @relation(name: "UserOnDevice")
  tokens: [Token!]! @relation(name: "TokenOnUser")
}

type Device @model {
  id: ID! @isUnique
  deviceIdentifier: String!
  users: [User!]! @relation(name: "UserOnDevice")
  token: Token @relation(name: "DeviceOnToken")
}

I'd like to make it so that a user must be authenticated and be related to the device data to be able to query on it. So, for a query like:

query($deviceIdentifier: String!) {
    device(deviceIdentifier: $deviceIdentifier) {
        id
    }
}

This should return null unless they are autthenticated and are a user in the specified relation. I was thinking I needed a permission query like this one:

query ($node_id: ID!, $user_id: ID!) {
  SomeDeviceExists(filter: {
    id: $node_id,
    users: {
      id: $user_id
    }
  })
}

But it turns out that is invalid. How do I do it?


Solution

  • query ($node_id: ID!, $user_id: ID!) {
      SomeDeviceExists(filter: {
        id: $node_id,
        users_some: {
          id: $user_id
        }
      })
    }
    

    but this does require submitting the user_id in the request.