Skip to content

Generic auth resolveUserFn being called for Public Fields in protect-granular Mode #2364

New issue
New issue
Open
Open
Generic auth resolveUserFn being called for Public Fields in protect-granular Mode#2364
@ethdev279

Description

@ethdev279
ethdev279
opened on Jan 11, 2025

Discussed in #2363

Originally posted by ethdev279 January 11, 2025

I’m using @envelop/generic-auth in my GraphQL Yoga server, following this example. I’ve set mode to protect-granular, expecting the resolveUserFn to only be called for fields marked with the @authenticated directive. However, I noticed that resolveUserFn is being called for all fields, including public fields that don’t require authentication.

This behavior adds unnecessary overhead for fields that don’t need user resolution or validation.

What I was expecting:

In protect-granular mode:

  • resolveUserFn should only be invoked for fields marked with the @authenticated directive.
  • Public fields should bypass user resolution and validation.

Actual Behavior

  • resolveUserFn is executed for all fields, including public fields, leading to unnecessary overhead.

Reproduction

  1. Schema:

    directive @authenticated on FIELD_DEFINITION

type Query {
  requiresAuth: String @authenticated
  public: String
}

  2. Plugin setup in GraphQL Yoga:

    useGenericAuth({
  mode: 'protect-granular',
  async resolveUserFn(context) {
    const token = context.request.headers.get('x-authorization');
    // further validations: decoding, getting user deails from db e.t.c.
    return token ?? null;
  },
});

  3. Query:

    query {
  public
}

  4. Observe that resolveUserFn is called for the public field.

any thoughts on this?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions