Auth directive in input field ignores applyPolicy function #131
Description
We are using mercurius with fastify in this server setup.
We have an archetype validator directive in which works pretty sweet in the Query,Mutation, Subscription, and field resolvers.
But the issue arises when the directive is applied in the arguments. It doesn't trigger the directive's validator function.
have even tried it with
INPUT_FIELD_DEFINITION | INPUT_OBJECT- creating a new directive, registering it and renaming it in schema input
- and does not pick it up.. the mutation gets called anyways (so have to do the check in the execution logic)
example mutation:
editUser(
first_name: String
...
role_id: ObjectID @authArchetype(requires: [superadmin])
): User @authArchetype(requires: [superadmin, admin])
registering directive:
.register(mercuriusAuth, {
async applyPolicy(authDirectiveAST, parent, args, context) {
// user object having an `archetype` key
const { user } = context
// retrieve the auth directive argument requirements
const requiredArgument = authDirectiveAST.arguments.find(
(argument) => argument.name?.value === 'requires'
)?.value
const excludeArgument = authDirectiveAST.arguments.find(
(argument) => argument.name?.value === 'exclude'
)?.value
// extract required archetype/s from argument values
const authorizedArchetypes =
requiredArgument?.values?.map((value) => value.value) ?? []
if (excludeArgument) {
const excludeArchetypes =
excludeArgument?.values?.map((value) => value.value) ?? []
if (excludeArchetypes.includes(user.archetype))
return new Error('You do not have the required permissions')
}
return authorizedArchetypes.includes(user.archetype)
? true
: new Error('You do not have the required permissions')
},
authDirective: 'authArchetype',
})