Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update authorization and pagination docs #1814

Open
wants to merge 20 commits into
base: source
Choose a base branch
from
Open

Update authorization and pagination docs #1814

wants to merge 20 commits into from

Conversation

mandiwise
Copy link
Contributor

Description

This PR contains updated authorization and pagination content for the Learn docs. Key changes include:

  • Intro and recap formats are standardized with other updated pages
  • Example resolver format has been standardized with the rest of the docs
  • The postRepository code example has been expanded for clarity
  • Nod to auth directives (given that this is a common pattern)
  • Schema examples for connection and edge types are include on the pagination page
  • Light editing throughout each page

@benjie @jorydotcom

@vercel Vercel
Copy link

vercel bot commented Nov 3, 2024

@mandiwise is attempting to deploy a commit to the The GraphQL Foundation Team on Vercel.

A member of the Team first needs to authorize it.

benjie
benjie requested changes Nov 21, 2024
View reviewed changes
Copy link
Member

@benjie benjie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some really good changes here, but I'm not sure about "Using type system directives" being included?

src/pages/learn/authorization.mdx Outdated
Comment on lines 65 to 84
## Using type system directives

In the example above, we saw how authorization logic can be delegated to the business logic layer through a function that is called in a field resolver.

Another approach when implementing authorization checks for a GraphQL API is to use [type system directives](/learn/schema/#directives), where a directive such as `@auth` is defined in the schema with arguments that can indicate what roles or permissions a user must have to access the data provided by the and fields where the directive is applied. For example:

```graphql
directive @auth(rule: Rule) on FIELD_DEFINITION

enum Rule {
IS_AUTHOR
}

type Post {
authorId: ID!
body: String @auth(rule: IS_AUTHOR)
}
```

It would be up to the GraphQL implementation to determine how an `@auth` directive affects execution when a client makes a request that includes the `body` field for `Post` type. However, the authorization logic should remain delegated to the business logic layer.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm struggling to see how this leaves the logic in the business logic layer - isn't it the GraphQL layer here that's dictating that the rule to use is IS_AUTHOR rather than the business logic?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, this one is a bit ambiguous. I thought it was worth mentioning the type system directive approach because I've seen it used so often (whether or not it's a great idea to mix up auth rules in a schema). But I struggled to come up with a good example here that was adjacent to the prior example and also adheres to what would be considered the best practice. If you'd rather not invite readers to consider this option, I can just remove the section. Alternatively, I could remove the example and just provide a couple sentences explaining that people may see the type system directive approach in the wild. Let me know.

src/pages/learn/pagination.mdx Outdated Show resolved Hide resolved
mandiwise and others added 17 commits November 21, 2024 14:21
@mandiwise @benjie
Update src/pages/learn/pagination.mdx
909fabf 
Co-authored-by: Benjie <[email protected]>
@jemgillam @mandiwise
blog post: CfP for FOSDEM APIs and Friends devroom (graphql#1811)
a1df64e
@kamilkisiela @mandiwise
Add new gateway and tool hive (graphql#1815)
a345622
@mandiwise @benjie @jonathanberger
Update schema and types docs (graphql#1800)
f7292a7 
Co-authored-by: Benjie <[email protected]>
Co-authored-by: Jonathan Berger <[email protected]>
@kamilkisiela @mandiwise
Remove Tipe from Tools (graphql#1816)
57b4d4d
@kamilkisiela @mandiwise
Remove Prisma from Tools (graphql#1817)
626c623
@dimaMachina @mandiwise
fix videos for conf 2024 (graphql#1819)
184c0a3
@mandiwise @benjie
Update introspection docs (graphql#1812)
d32e433 
Co-authored-by: Benjie <[email protected]>
@mandiwise @benjie
Update execution docs (graphql#1804)
4b502c7 
Co-authored-by: Benjie <[email protected]>
@mandiwise @benjie
Update serving over HTTP docs. (graphql#1813)
5ef9c15 
Co-authored-by: Benjie <[email protected]>
@mandiwise @benjie
Update validation page. (graphql#1803)
01d0d07 
Co-authored-by: Benjie <[email protected]>
@benjie @mandiwise
Remove duplicate "the" (graphql#1828)
4fafb88
@aexol @benjie @mandiwise
Add new book by Artur Czemiel (graphql#1822)
9aa424f 
Co-authored-by: Benjie <[email protected]>
@tazsingh @mandiwise
Create atproto-did for Bluesky handle (graphql#1830)
b0fe7e7
@shashankrushiya @benjie @mandiwise
Update README to improve clarity and add missing sections (graphql#1823)
f8e82d2 
Co-authored-by: Benjie <[email protected]>
@benjie @mandiwise
We use Discord now (graphql#1831)
cf48ffd
@mandiwise @benjie
Add security best practices page. (graphql#1820)
fc47a37 
Co-authored-by: Benjie <[email protected]>
benjie
benjie reviewed Nov 22, 2024
View reviewed changes
src/pages/learn/authorization.mdx Outdated

## Using type system directives

In the example above, we saw how authorization logic can be delegated to the business logic layer through a function that is called in a field resolver.
Copy link
Member

@benjie benjie Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following on from https://github.com/graphql/graphql.github.io/pull/1814/files#r1852923240

Instead of trying to fit the auth directive approach into the "business logic layer" narrative, let's explicitly call it out as an alternative - something that people do but is not the recommended way:

Suggested change
In the example above, we saw how authorization logic can be delegated to the business logic layer through a function that is called in a field resolver.
In the example above, we saw how authorization logic can be delegated to the business logic layer through a function that is called in a field resolver. In general it is recommended to perform all authorization logic in the business logic layer, however if you decide to implement authorization in the GraphQL layer instead then one approach is to use [type system dire...

(merge with next paragraph)

The remainder of the text in this section would also need light editorial to reflect this.

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, addressed in 587906a.

@benjie
Copy link
Member

benjie commented Nov 22, 2024

We're back to 136 files changed @mandiwise; I think something went wrong with your merge/rebase

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjie benjie benjie requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@mandiwise @benjie @jemgillam @kamilkisiela @dimaMachina @aexol @tazsingh @shashankrushiya