Accessing restricted model property returns both data and errors #813

yss14 · 2021-03-11T18:45:38Z

yss14
Mar 11, 2021

So it's the first time for me running into a situation where some properties of a model are protected via an authorization decorator. I also set {nullable:true} as option so that the server still returns the remaining data for unauthorized users.
However, I noticed that requesting the data in an unauthorized way returns both the data (protected properties are null) and an errors array including an error for each access attempt.
Now my question is whether this is the intended behaviour (my guess would be yes) and how is the best practice to handle it? Just ignore the errors array on the frontend side if data is still there?

Query Result:

{
  "data": {
      "share": {
        "id": "f9d531d3-94f0-4876-af17-deda34194345",
        "members": [
          {
            "id": "f0d8e1f0-aeb1-11e8-a117-43673ffd376b",
            "name": "<name>",
            "email": "<email>",
            "status": null,
            "permissions": null,
            "shareID": "f9d531d3-94f0-4876-af17-deda34194345",
            "dateJoined": "2021-03-11T18:15:39.595Z"
          },
          {
            "id": "3ba6fab4-f6ad-4916-9f1d-cdcfe522fd8e",
            "name": "<name>",
            "email": "<email>",
            "status": null,
            "permissions": null,
            "shareID": "f9d531d3-94f0-4876-af17-deda34194345",
            "dateJoined": "2021-03-11T18:15:39.598Z"
          }
        ]
      }
    },
  "errors": [
    {
      "message": "User has insufficient permissions to perform this action!",
      "locations": [{ "line": 8, "column": 7 }],
      "path": ["share", "members", 0, "status"],
      "extensions": {
        "code": "FORBIDDEN"
      }
    },
    {
      "message": "User has insufficient permissions to perform this action!",
      "locations": [{ "line": 9, "column": 7 }],
      "path": ["share", "members", 0, "permissions"],
      "extensions": {
        "code": "FORBIDDEN"
      }
    },
    {
      "message": "User has insufficient permissions to perform this action!",
      "locations": [{ "line": 8, "column": 7 }],
      "path": ["share", "members", 1, "status"],
      "extensions": {
        "code": "FORBIDDEN"
      }
    },
    {
      "message": "User has insufficient permissions to perform this action!",
      "locations": [{ "line": 9, "column": 7 }],
      "path": ["share", "members", 1, "permissions"],
      "extensions": {
        "code": "FORBIDDEN"
      }
    }
  ],
}

Answered by MichalLytek

Mar 11, 2021

Yes, that's how GraphQL works.

If something bad happens, like TypeError or undefined is not a function inside the resolver, the errors bubbles up in the types and fields chain (nested properties) until it find a nullable field.

Then it continues resolving other fields, because the response is still matching the defined types.

So you can have "partial" response and the errors array containing the detailed info.

Just ignore the errors array on the frontend side if data is still there?

That's up to you - I think frontend should never make a query that violates validation or authentication rules.
Most implementations like Apollo will throw an error if there's some data in errors.

If for som…

View full answer

MichalLytek · 2021-03-11T21:11:01Z

MichalLytek
Mar 11, 2021
Maintainer

Yes, that's how GraphQL works.

If something bad happens, like TypeError or undefined is not a function inside the resolver, the errors bubbles up in the types and fields chain (nested properties) until it find a nullable field.

Then it continues resolving other fields, because the response is still matching the defined types.

So you can have "partial" response and the errors array containing the detailed info.

Just ignore the errors array on the frontend side if data is still there?

That's up to you - I think frontend should never make a query that violates validation or authentication rules.
Most implementations like Apollo will throw an error if there's some data in errors.

If for some reason this doesn't fits you (leaking permissions info), you can use authMode: "null" option to not throw errors but just returns null, if the types are nullable.

3 replies

yss14 Mar 12, 2021
Author

Thanks for that very helpful and detailed answers.

If for some reason this doesn't fits you (leaking permissions info), you can use authMode: "null" option to not throw errors but just returns null, if the types are nullable.

That's exactly the use case, I will try that.

chinanderm Apr 8, 2021

@MichalLytek Thanks! The authMode: "null" config is helpful. However, would it be possible to provide an authMode mode on a specific @Query, @Mutation, or @Authorized, allowing the global mode to be overridden? I have the same use case as @yss14 but I'd like to keep the global default of "error", but set to null on a specific @Authorized on a @Field.

Might look like...

@ObjectType()
class MyClass {
  @Authorized({ authMode: 'null' })
  @Field(() => String, { nullable: true })
  myProtectedField: string | null
}

The alternative here is to add a @FieldResolver for the field and check the authorization status from @Ctx, returning null if the request isn't authorized.

MichalLytek Apr 8, 2021
Maintainer

For custom behavior you should write custom auth layer using middlewares,

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Accessing restricted model property returns both data and errors #813

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Accessing restricted model property returns both data and errors #813

yss14 Mar 11, 2021

Replies: 1 comment · 3 replies

MichalLytek Mar 11, 2021 Maintainer

yss14 Mar 12, 2021 Author

chinanderm Apr 8, 2021

MichalLytek Apr 8, 2021 Maintainer

yss14
Mar 11, 2021

Replies: 1 comment 3 replies

MichalLytek
Mar 11, 2021
Maintainer

yss14 Mar 12, 2021
Author

MichalLytek Apr 8, 2021
Maintainer