better example

Author: enisdenjo

e2e/operation-field-permissions/gateway.config.ts

@@ -1,11 +1,20 @@
 import { useOperationFieldPermissions } from '@envelop/operation-field-permissions';
-import { defineConfig } from '@graphql-hive/gateway';
+import { defineConfig, GatewayContext } from '@graphql-hive/gateway';
 
 export const gatewayConfig = defineConfig({
   plugins: () => [
     useOperationFieldPermissions({
-      getPermissions() {
-        return new Set(['Query.allowed']);
+      getPermissions(ctx: GatewayContext) {
+        const auth = ctx.request.headers.get('authorization');
+        if (
+          auth ===
+          'Bearer TOKEN' /** NOTE: proper token validity check goes here */
+        ) {
+          // allow all fields
+          return new Set(['*']);
+        }
+        // allow only introspection
+        return new Set(['Query.registrationOpen']);
       },
     }) as any, // TODO: fix generic in envelop
   ],

e2e/operation-field-permissions/operation-field-permissions.e2e.ts

@@ -3,7 +3,7 @@ import { expect, it } from 'vitest';
 
 const { gateway, service } = createTenv(__dirname);
 
-it('should disallow disallowed', async () => {
+it('should allow checking registration but disallow "me" when not authenticated', async () => {
   const { execute } = await gateway({
     supergraph: {
       with: 'mesh',
@@ -15,7 +15,25 @@ it('should disallow disallowed', async () => {
     execute({
       query: /* GraphQL */ `
         {
-          disallowed
+          registrationOpen
+        }
+      `,
+    }),
+  ).resolves.toMatchInlineSnapshot(`
+    {
+      "data": {
+        "registrationOpen": false,
+      },
+    }
+  `);
+
+  await expect(
+    execute({
+      query: /* GraphQL */ `
+        {
+          me {
+            name
+          }
         }
       `,
     }),
@@ -30,33 +48,52 @@ it('should disallow disallowed', async () => {
               "line": 3,
             },
           ],
-          "message": "Insufficient permissions for selecting 'Query.disallowed'.",
+          "message": "Insufficient permissions for selecting 'Query.me'.",
+        },
+        {
+          "locations": [
+            {
+              "column": 13,
+              "line": 4,
+            },
+          ],
+          "message": "Insufficient permissions for selecting 'User.name'.",
         },
       ],
     }
   `);
 });
 
-it('should allow allowed', async () => {
+it('should allow "me" when authenticated', async () => {
   const { execute } = await gateway({
     supergraph: {
       with: 'mesh',
       services: [await service('users')],
     },
+    pipeLogs: 'gw.log',
   });
 
   await expect(
     execute({
       query: /* GraphQL */ `
         {
-          allowed
+          registrationOpen
+          me {
+            name
+          }
         }
       `,
+      headers: {
+        authorization: 'Bearer TOKEN',
+      },
     }),
   ).resolves.toMatchInlineSnapshot(`
     {
       "data": {
-        "allowed": "cool",
+        "me": {
+          "name": "John",
+        },
+        "registrationOpen": false,
       },
     }
   `);

e2e/operation-field-permissions/services/users.ts

@@ -10,14 +10,17 @@ createServer(
     schema: createSchema<any>({
       typeDefs: /* GraphQL */ `
         type Query {
-          allowed: String!
-          disallowed: String!
+          registrationOpen: Boolean!
+          me: User!
+        }
+        type User {
+          name: String!
         }
       `,
       resolvers: {
         Query: {
-          allowed: () => 'cool',
-          disallowed: () => 'very not cool',
+          registrationOpen: () => false,
+          me: () => ({ name: 'John' }),
         },
       },
     }),