https://www.prisma.io/ logo
Join Slack
Powered by
Sharing this again, in case there was no one aroun...
# prisma-whats-new
v
Sharing this again, in case there was no one around when I first posted it…
@nilan @agartha Sorry to tag you guys, but I feel like you may have an answer to this one?
Anyone here?
a
The template uses a rootToken to execute the 
createUser
mutation. It has full permissions to run any query or mutation because of that, regardless of you permission settings.
v
I see. Is it this?
Copy code
const token = await graphcool.generateNodeToken(userId, ‘User’)
I guess I’ll have start evolving that template; as it is it’s exposing a bypass to createUser() through the public API, essentially.
a
How are you going to create a new User, if only authenticated users can call createUser?
That's not 'exposing a bypass', that's 'allowing users to signup'
v
you’re right, sorry, I am reasoning with my use-case in mind, of which you know nothing
so I am assuming things
In my case I don’t want to allow public signup of users
either way, shouldn’t signupUser() honour the permissions on createUser()? That is, if I choose to leave createUser() available for public non-logged-in requesters (so people can sign-up), then signupUser() inherits that, but if I choose (whatever the reason) to restrict access to createUser(), signupUser() should honour that. Don’t you think?
a
The templates are what they are, a starting point offered as-is to add certain functionality to your endpoint. You can make any changes you want to it to cover your use case. If, in your case, signupUser needs to run in the user context, use the 
token
from 
context.auth
instead of the 
rootToken
to call the mutation.
v
Yes, I appreciate templates are just templates, and am thankful they exist. I was just thinking out loud 🙂
Thanks for directing me once more!
a
No problem, I hope my suggestion is useful to adapt it to your usecase.
👍 1
v
@agartha I thought I had understood the code, but I actually didn’t — I can’t actually figure out where in the signup.ts the code is actually using a root token. Is that somewhat implicit? Trying to understand the code so I can actually modify it 🙂
a
Sorry, which template was that again, so I can have a look?
There should be a line in there saying 
fromEvent(event)
v
email-password - I was just searching for it so I can link it to you
👍🏻 1
There’s that line
a
That line creates basically creates a GraphQLClient with the rootToken from the event context.
v
ha
a
If you change that to 
fromEvent(event, { token: event.context.auth.token })
it should use the user token instead of the rootToken
v
thanks
a
However, 
event.context.auth
will be 
null
when the mutation is called without a Authorization header
So you probably should put a guard before that to check and 
return { error: "..." }
v
makes sense
👍🏻 1
2 Views
Open in Slack
PreviousNext
Powered by