From graphql yoga, inside of my resolvers I check before resolver call, if this resolver is protected or not.
If resolver is protected, and user is not signed in I can throw an error like this:
return new Error('Token is missing');
This stops execution of the request and returns correct shape of message, with an error field.
{
"data": null,
"errors": [
{
"message": "Token is missing",
"locations": [
{
"line": 3,
"column": 3
}
],
"path": [
"users"
]
}
]
}
The response has status 200 though, which is not correct. I'd like to be able to choose my own status, like 403 for example.
Here is my current implementation of resolvers:
const withAuth = authed => (_, args, context, ...rest) => {
if (!context.token) {
return new Error('Token is missing');
}
let result = null;
try {
result = jwt.verify(context.token, process.env.HASH);
} catch (__) {
return new Error('Incorrect token');
}
const { username, email } = result;
if (!username || !email) {
return new Error('Incorrect token');
}
return authed(_, args, { ...context, user: { username, email } }, ...rest);
};
const resolvers = {
Query: {
users: withAuth(resolver(User)), //get users from db
}
I would add a before request middleware in express, but there is no way of telling, which query is being called, as all calls are done to the same endpoint.
Any input will be appreciated!
As per graphql specification, endpoint should always return status 200:
http://facebook.github.io/graphql/October2016/#sec-Errors
The errors entry in the response is a non‐empty list of errors, where each error is a map.
If no errors were encountered during the requested operation, the errors entry should not be present in the result.
Every error must contain an entry with the key message with a string description of the error intended for the developer as a guide to understand and correct the error.
If an error can be associated to a particular point in the requested GraphQL document, it should contain an entry with the key locations with a list of locations, where each location is a map with the keys line and column, both positive numbers starting from 1 which describe the beginning of an associated syntax element.
GraphQL servers may provide additional entries to error as they choose to produce more helpful or machine‐readable errors, however future versions of the spec may describe additional entries to errors.
If the data entry in the response is null or not present, the errors entry in the response must not be empty. It must contain at least one error. The errors it contains should indicate why no data was able to be returned.
If the data entry in the response is not null, the errors entry in the response may contain any errors that occurred during execution. If errors occurred during execution, it should contain those errors.