This is a question as well as a suggestion.
I'm combining graphql-ruby and graphql-guard with Doorkeeper+Sorcery to handle my authentication. In my graphql_controller.rb I have:
def current_user
token = Doorkeeper.authenticate(request)
unless token&.accessible?
raise UnauthenticatedError
end
current_resource_owner
rescue UnauthenticatedError => e
GraphQL::ExecutionError.new('Unauthenticated', extensions: { code: 'AUTHENTICATION_ERROR' })
end
And my policy is:
...
Types::WorkoutType => {
'*': ->(obj, args, ctx) { obj.try(:author) == ctx[:current_user] || ctx[:current_user].try(:admin) }
},
...
So when a user is not authenticated, I expect the Unauthenticated error to be returned, but instead I get the Not authorized to access #{type}.#{field} defined in graphl_controller.rb.
Question:
Would it make sense to add the context to the callback so one could do something like this?
use GraphQL::Guard.new(
policy_object: GraphqlPolicy,
not_authorized: ->(type, field, ctx) do
ctx.add_error(GraphQL::ExecutionError.new("Not authorized to access #{type}.#{field}"))
end
)
That way we wouldn't remove any other errors that are in there and we can see that we are in fact unauthenticated as well as unauthorized.
This is a question as well as a suggestion.
I'm combining graphql-ruby and graphql-guard with Doorkeeper+Sorcery to handle my authentication. In my
graphql_controller.rbI have:And my policy is:
So when a user is not authenticated, I expect the
Unauthenticatederror to be returned, but instead I get theNot authorized to access #{type}.#{field}defined ingraphl_controller.rb.Question:
Would it make sense to add the context to the callback so one could do something like this?
That way we wouldn't remove any other errors that are in there and we can see that we are in fact unauthenticated as well as unauthorized.