question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

"Not Authorised!" on a field make the containing object null

See original GitHub issue

First of all I think that graphql-shield add a clean, generic and maintainable security layer to graphql. It don’t replace ad-hoc fine-grained security check in some resolver for special cases but make easy to add uniform basic access control on all your schema. So kudos to you!

I’m implementing a field level access policies with graphql-shield but I’m having a strange issue. When a field is “Not Authorised!” the parent object is set to null. Here is an example.

Permissions: const permissions = shield({ Query: { node: allow, }, User: { name: allow, secret: deny } });

Query: { node (id: 'myId') { ... on User { name, secret } } }

Expected result: { "data": { "node": { name: "My name" } }, "errors": [ { "message": "Not Authorised!", "locations": [ { "line": 31, "column": 3 } ], "path": [ "node", "secret" ] } ] }

Actual result: { "data": { "node": null }, "errors": [ { "message": "Not Authorised!", "locations": [ { "line": 31, "column": 3 } ], "path": [ "node", "secret" ] } ] }

It’s not an errorPolicy issue on the client because this is extracted from the raw http response. Only parent object is set to null. A connection query has all fields normally returned but edges are like this edges { edge { node: null }, edge { node: null }, edge { node: null }, edge { node: null } }

I’d like to adopt graphql-shield so let me know if I can help to solve this issue. Thanks.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:10

github_iconTop GitHub Comments

9reactions
maticzavcommented, Jul 13, 2018

Perfect, thank you so much for this input. 🎉

So, the reason you are experiencing this issue has to do with how GraphQL processes responses. I’ll use SDL to present the idea, but I believe you should have no problem translating this into your schema as well.

GraphQL uses strongly typed language. That means that there’s a particular “contract” between client and server which makes sure no result is unpredictable. My thinking is this; if I am querying type book by its id and want to access id, name and content field which are all non-nullable I rely on the fact that every single field in a book instance will have value once I get the result. This way, I don’t have to write checks on the frontend to make sure every field, in fact, has a value.

Imagine a situation where one of the fields throws an error. In such a scenario, GraphQL can no longer ensure that all fields in Book will have a value. Hence, to keep the contract trustworthy, it has to return null.

GraphQL Shield works on a similar pattern; If the user has no access to a particular field, we throw an error. Makes sense, doesn’t it? In your specific case, the problem is that secret is non-nullable field. Taking into consideration the above section, we can easily understand why in case the customer is not authenticated, user returns null. If it weren’t so, GraphQL would break the contract.

My vague remodelling of your schema looks something like this;

type Query {
  node: User!
}

type User {
  name: String!
  ...
  secret: String!
}

Now to fix the error, you’ve probably guessed by now, you have to change non-null secret to nullable secret.

I hope this helps you solve the problem! 🙂

A quick advice; thinking of schema as a contract between your client and server could change the way you perceive it. For the field to be non-nullable, you have to ensure that no matter what, the client can receive it.

PS.: Check out node Query field. Can you ensure that there will always be a user no matter the id?

3reactions
AlessandroFerrariFoodcommented, Jul 13, 2018

You are right! I missed the not-null. Changing solved it.

Thank you very much!

PS: node Query field called with wrong id returns a not found graphql error

Read more comments on GitHub >

github_iconTop Results From Across the Web

GraphQL not null field of nullable object returning error
The following schema contains not null field in an object that is optional (the entire object is allowed to be null).
Read more >
Problem: Unable to configure fields to ensure null values are ...
In the Catalog pane, right-click the new feature layer and select Properties. In the Feature Class Properties window, click the Fields tab and ......
Read more >
Understanding non-existent properties and working with nulls
That is, there really is no such thing as a property with a null value; null indicates that the property doesn't exist at...
Read more >
Type Objects — Python 3.11.1 documentation
<R> (as a prefix) means the field is required (must be non- NULL ). ... For statically allocated type objects, the tp_name field...
Read more >
API (GraphQL) - Setup authorization rules - AWS Amplify Docs
To do so, each object will get an ownerField field (by default owner will be added ... mutation such that the field cannot...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found