Using different schema for authorized/unauthorized requests

[JajaComp]

Hi! In 7 version can i use different schema for authorized/unauthorized requests? In previous version i use it over:

suspend fun handle(applicationCall: ApplicationCall) {
        val result = when {
            applicationCall.containHeader("ADMIN_HEADER") -> {
                if (applicationCall.request.hasCorrectAdminHeader()) {
                    fullGraphQLServer.execute(applicationCall.request)
                } else {
                    delay(2_000)
                    applicationCall.response.call.respond(HttpStatusCode.Unauthorized, "No access")
                    return
                }
            }

            applicationCall.containHeader("AUTH_HEADER") -> {
                fullGraphQLServer.execute(applicationCall.request)
            }

            else -> {
                guestGraphqlServer.execute(applicationCall.request)
            }
        }
        if (result != null) {
            val json = mapper.writeValueAsString(result)
            applicationCall.response.call.respondText(contentType = ContentType.Application.Json, text = json)
        } else {
            applicationCall.response.call.respond(HttpStatusCode.BadRequest, "Invalid request")
        }
    }

How can now i do this?

[dariuszkuc]

Hello 👋
I assume the question is how to serve 2 schemas using new GraphQL Kotlin Ktor Plugin?

I am unsure whats the use case for serving two different GraphQL schemas vs using some authorization mechanism to limit access (directives) on the schema directly. Plugin currently doesn't support generating multiple schemas so you would either have to transform existing one or manually generate it. I believe you should (haven't tried it) be able to do it by providing some custom routing (see default routing, i.e.

fun Application.graphQLModule() {
    install(GraphQL) {
        schema {
            packages = listOf("com.example")
            queries = listOf(
                HelloWorldQuery()
            )
        }
    }
    routing {
      route("/graphql", HttpMethod.Post) {
        // plugin holds auto generated FULL schema + corresponding server config
        val graphQLPlugin = this.application.plugin(GraphQL)
        // you could transform the schema and generate the corresponding server but thats custom logic
        handle {
          // your logic from above goes here
        }
      }
    }
}

[JajaComp]

Are you planning to open class KtorGraphQLRequestParser to replace it over ServerConfiguration (Field var requestParser)? Otherwise, why is it marked as var?

My case:
I use first schema for authorization and refresh token, and second for authorized requests. May be can you advice better use case for it?

[dariuszkuc]

Are you planning to open class KtorGraphQLRequestParser to replace it over ServerConfiguration (Field var requestParser)? Otherwise, why is it marked as var?

Yeah the request parser should be open, looks like it was missed on the Ktor side (Spring request parser is already open) -> please open up a PR :)

My case:
I use first schema for authorization and refresh token, and second for authorized requests. May be can you advice better use case for it?

Personally I wouldn't use GraphQL for doing auth as IMHO that's already a solved problem with OAuth2. Instead I'd call my GraphQL server AFTER obtaining proper JWT tokens so you would only need to validate them (i.e. whether users have valid permissions/scopes) inside your server.

[dariuszkuc]

Moving this to discussion.