Authorizing Fields
Each field in an OttoModel<T>
can be configured with authorization; that is, you can control whether or not the user is allowed to resolve that field based on your own authorization rules.
To authorize a field, use the .Authorize(...)
method on GraphTypeBuilder<T>
:
public sealed class Model : OttoModel<Query>
{
protected override SchemaBuilder ConfigureSchema(SchemaBuilder builder)
{
return builder
.GraphType<Thing>(thingBuilder =>
thingBuilder
.Authorize(thing => thing.Name)
.Via<Authorizer>(x => x.CanViewName())
);
}
}
This assumes some class named Authorizer
exists. OttoTheGeek
will register this class with the dependency injection container on your behalf.
If authorization fails (i.e. the method passed to .Via(...)
returns false
), then the field’s value will be null in the response, and an error with the message “Not authorized” will also be present. For instance, a query like:
{
thing {
name
}
}
would return a response like this:
{
"data" {
"thing" {
"name": null
}
},
"errors": [
{
"message": "Not authorized",
...
}
]
}
Model Validation for Authorization
Since authorization depends on being able to return null
for unauthorized fields, OttoTheGeek
will throw an AuthorizationConfigurationException
if you have configured authorization on a field that is marked as non-nullable.