Dynamically Filter Schema

[Malax]

Hi!

We're building a GraphQL API that is used both internally and externally at the same time. We're having authentication and authorization in place and everything works well so far.

However, there are some parts of the API we do not want to expose at all when an external user requests the API. IIRC, GitHub is doing something similar with their GQL API.

The first idea was to tag fields as internal and filter the schema depending on the authenticated user to exclude those fields. Afterwards, we could remove all types from the schema that are no longer referenced. This seemed like a pretty elegant solution to me. I tried to implement this by grabbing the AST and filter it as described. Sadly, the tags are no longer available in the AST. :-(

I was very happy when I saw that there is a SchemaFilter but got disappointed when I realised it can only filter by name. So, this does not seem to be a feasible option.

So I am writing in here, hoping to get some pointers how to tackle the problem. If this is something that is not easily doable right now, I would be happy to contribute to the project! :)

[Peter Hunsberger]

How are you building your schema in the 1st place?  If you are traversing some form of classes or other metadata it is actually possible to construct multiple Sangria schema and pick them at query time.  I've built a library on top of Sangria that lets user pick from multiple graph sources each with multiple schema.  In my case these are picked by using additional parameters passed with the query and the parameters are locators into maps of maps of schema (none of my schema are that large).   For your case, don't dynamically filter the schema after the fact, build your variants up front and choose from them based on the authorizations of the users.