Hey guys I have encountered a problem I am not sure how to h Prisma #orm-help

Hey guys I have encountered a problem I am not sur...

ryannealmes

06/14/2018, 6:56 PM

Hey guys I have encountered a problem I am not sure how to handle When returning information like user - password is a required field on my schema. But I would like to return a user without the password when a user logs in or when requesting users in general. What is the best practice here to get returning sensitive fields to the user? Thanks.

tabsnotspaces

06/14/2018, 6:57 PM

Couldn’t you make it, not required?

tabsnotspaces

06/14/2018, 6:58 PM

wait, what do you mean

required

to be returned

tabsnotspaces

06/14/2018, 6:58 PM

the fields that are returned to the user are dependent on the query that is sent. unless i’m misunderstanding what you mean

ryannealmes

06/14/2018, 6:59 PM

maybe my knowledge is limited here

ryannealmes

06/14/2018, 6:59 PM

Copy code

type User{
  id: ID! @unique
  name: String! @unique
  username: String! @unique
  email: String! @unique
  password: String!
  teams: [Team!]!
}

ryannealmes

06/14/2018, 6:59 PM

that is my user object

ryannealmes

06/14/2018, 6:59 PM

and I want to make sure password is a required field when saving to the database

ryannealmes

06/14/2018, 7:00 PM

I could probably remove the password being required, but is that how this problem is usually handled @tabsnotspaces

tabsnotspaces

06/14/2018, 7:02 PM

right so your type is correctly defined. the password is required when creating a user. so your

createUser

mutation will need to have a password in the payload. but querying for a user you can specify whatever fields you want

ryannealmes

06/14/2018, 7:03 PM

ye that is part of the problem

ryannealmes

06/14/2018, 7:03 PM

how would one prevent the ability to query the password field

ryannealmes

06/14/2018, 7:04 PM

if I delete it from the object, then graphql complains that password is a required field

ryannealmes

06/14/2018, 7:04 PM

the only thing I can think of is to have another authuser type that excludes password from the schema

lewebsimple

06/14/2018, 7:37 PM

Can't you make the passwork field optional on User but make it required on a Signup mutation (that would take an input of its own type) ?

lewebsimple

06/14/2018, 7:38 PM

Copy code

type Mutation {
  signup(email: String!, password: String!): User
}

tabsnotspaces

06/14/2018, 7:42 PM

^ yeah there’s that too. you can also look at persisted queries, it dictates what queries can be sent to the graphql server in production

timm

06/14/2018, 7:50 PM

from what i understand, in your

datamodel.graphql

you would include the password field, but in the schema.graphql which is the second layer where you would expose your api to calls, you would "redefine"

type User { ... }

in there and include only the fields you want to expose, so leave out password and anything that you don't want to be able to query.

timm

06/14/2018, 7:52 PM

so in your schema.graphql either above or below your

type Query { ... }

and

type Mutation { ... }

you literally add something like

Copy code

type User {
  id: ID!
  email: String!
  name: String!
}

timm

06/14/2018, 7:52 PM

which would only allow querying on id, email, and name

ryannealmes

06/14/2018, 8:01 PM

thanks guys … all of these are great solutions!

ryannealmes

06/14/2018, 8:01 PM

I think the last solution makes the most sense

👍 1

ryannealmes

06/14/2018, 8:01 PM

password should only flow through the signup and get saved through prisma bindings

ryannealmes

06/14/2018, 8:01 PM

I can redefine user so it’s not available for querying!

ryannealmes

06/14/2018, 8:02 PM

they are all kind of similar ideas though

ryannealmes

06/14/2018, 8:02 PM

thanks!

3 Views

Open in Slack

Previous Next