Hey guys, I'm working on a possible migration from rest to graphql (vue <-> rest php <-> elastic into vue <-> graphcool), I was wondering about the proper way to add (as an exemple) the logged user to a type (post). In my rest API, I can check if the userId in parameter of my route is the same as the logged one (or just add the logged one to my entity/document), but I can't have a clean vision of this process in graphql, have you any guidelines about ? Thanks a lot ❤️

I’m not 100% sure I understand but you can access

this.props.loggedInUser

from whatever component you set the auth token and any of that component’s children

Sorry, my english is not as clean as my mind... The idea is just to check (server side) if the userId in my createPost mutation is the same as the one who's creating this Post (he can hack it client side to pass another one for exemple) you see what i mean ?

Yeah. That’s why you access

this.props.loggedInUser

. For example, you can store the user’s ID & token in

localStorage

, protect those routes, and check on the client if the user ID matches the loggedInUser ID to authorize that user to make that request

Hmm, the problem is that this user can modify his userId in localstorage (or whatever) but keep his token and createPost with this fake id. I can't protect it.

That is not the easiest of things to do. 1. The user would need to really know what to do. 2. You should ensure that the userID is authorized to create a post. 3. You should validate the token to ensure he/she is logged in. 4. You should ensure that the userID is a real ID coming from the database. If not, then respond with a

401

Well, that sounds ok