Graphql-ruby style Visability

[JipSterk]

hi hayes, thanks for this awesome library. Im loving v4 very much and would like to add a feature like graphql-ruby's visibility.

Motivation

Pothos currently lacks a granular, field-level access control mechanism. A visibility feature would bridge the gap between the scope-auth plugin and sub-graph plugins, providing fine-grained control over schema element accessibility.

Proposal

Introduce a visibility option for: types, fields, enums? and mutation that accepts a function, returning a boolean based on the context

builder.queryField('sensitiveData', (t) => ({
  type: 'String',
  visibility: ({ context }) => context.user.permissions.includes('VIEW_SENSITIVE_DATA') || context.user.features.include('NEW_CANARY_FIELD'),
  resolve: () => 'Confidential information'
}));

Benefits

• Progressively expand schema through feature flags
• Enhanced schema element-level access control
• Simplified schema management with dynamic field visibility
• Improved performance through early field filtering
• Flexible and declarative implementation

Implementation

The visibility function/flag would be called during query planning. potentially leveraging Pothos's afterBuild hook?

i would like to spend some time to implement such feature but could use some points on the following:

• perhaps we can extract the hasReturnedInterface from the sub-graph package to verify all inherited interfaces are present or is this done in a later stage of the builders inner workings.
• i don't know how pothos handles schema's with no exposed query type. Is this handled by @pothos/core or do we need a separate check for this as well
• Im not sure how introspection would work

[hayes]

This seems interesting, but would be very hard to do in pothis directly.

You'd probably want to build a pothos plugin and an envelop plugin. The issue is that GraphQL in JS operates based on the schema, and you would likely need to regenerate the schema for each request.

What I'd do for this would be:

1. Implement a very simple pothos plugin, that just takes the visibility option, and copies it into to extensions for the type/field
2. Implement an envelop plugin that uses the onEnveloped to set thte schema

• in this hook, you would map over the schema, and check for the visibility callback in each fields extensions, to determine if it should be included in the new schema
• call setSchema to replace the schema with the new filtered schema for the current user
• you'll probably want to cache the schema for each user, if this is a long running service, because creating a new filtered schema on each request is inefficient