Using different schema for authorized/unauthorized requests

[JajaComp]

Hi! In 7 version can i use different schema for authorized/unauthorized requests? In previous version i use it over:

suspend fun handle(applicationCall: ApplicationCall) {
        val result = when {
            applicationCall.containHeader("ADMIN_HEADER") -> {
                if (applicationCall.request.hasCorrectAdminHeader()) {
                    fullGraphQLServer.execute(applicationCall.request)
                } else {
                    delay(2_000)
                    applicationCall.response.call.respond(HttpStatusCode.Unauthorized, "No access")
                    return
                }
            }

            applicationCall.containHeader("AUTH_HEADER") -> {
                fullGraphQLServer.execute(applicationCall.request)
            }

            else -> {
                guestGraphqlServer.execute(applicationCall.request)
            }
        }
        if (result != null) {
            val json = mapper.writeValueAsString(result)
            applicationCall.response.call.respondText(contentType = ContentType.Application.Json, text = json)
        } else {
            applicationCall.response.call.respond(HttpStatusCode.BadRequest, "Invalid request")
        }
    }

How can now i do this?

[dariuszkuc]

Hello 👋
I assume the question is how to serve 2 schemas using new GraphQL Kotlin Ktor Plugin?

I am unsure whats the use case for serving two different GraphQL schemas vs using some authorization mechanism to limit access (directives) on the schema directly. Plugin currently doesn't support generating multiple schemas so you would either have to transform existing one or manually generate it. I believe you should (haven't tried it) be able to do it by providing some custom routing (see default routing, i.e.

fun Application.graphQLModule() {
    install(GraphQL) {
        schema {
            packages = listOf("com.example")
            queries = listOf(
                HelloWorldQuery()
            )
        }
    }
    routing {
      route("/graphql", HttpMethod.Post) {
        // plugin holds auto generated FULL schema + corresponding server config
        val graphQLPlugin = this.application.plugin(GraphQL)
        // you could transform the schema and generate the corresponding server but thats custom logic
        handle {
          // your logic from above goes here
        }
      }
    }
}

[JajaComp]

Are you planning to open class KtorGraphQLRequestParser to replace it over ServerConfiguration (Field var requestParser)? Otherwise, why is it marked as var?

My case:
I use first schema for authorization and refresh token, and second for authorized requests. May be can you advice better use case for it?

[dariuszkuc]

Are you planning to open class KtorGraphQLRequestParser to replace it over ServerConfiguration (Field var requestParser)? Otherwise, why is it marked as var?

Yeah the request parser should be open, looks like it was missed on the Ktor side (Spring request parser is already open) -> please open up a PR :)

My case:
I use first schema for authorization and refresh token, and second for authorized requests. May be can you advice better use case for it?

Personally I wouldn't use GraphQL for doing auth as IMHO that's already a solved problem with OAuth2. Instead I'd call my GraphQL server AFTER obtaining proper JWT tokens so you would only need to validate them (i.e. whether users have valid permissions/scopes) inside your server.

[JajaComp]

In the end I managed to solve the problem:

1. Create custom route for post request:

private fun Route.graphQLPostRoute(): Route {
    val ktorServer = get<KtorServer>()
    return route("/graphql", HttpMethod.Post) {
        handle {
            ktorServer.handle(this.call)
        }
        install(ContentNegotiation) {
            jackson(streamRequestBody = true) {}
        }
    }
}

2. Create instance for Guest graphql server:

internal class GuestGraphql(
    private val contextFactory: GuestGraphQLContextFactory,
    private val dataLoaderRegistryFactory: KotlinDataLoaderRegistryFactory,
) {
    private val graphQl: GraphQL
    val server: KtorGraphQLServer
        get() = graphQl.server
    val schema: GraphQLSchema
        get() = graphQl.schema

    init {
        val schema = GuestGraphqlSchema.schema
        val config = GraphQLConfiguration(config = ApplicationConfig(null)).apply {
            this.schema.override(schema)
            engine {
                this.dataLoaderRegistryFactory = [email protected]
            }
            server {
                this.contextFactory = [email protected]
            }
        }
        this.graphQl = GraphQL(config = config)
    }
}

3. Create authorized graphql server:

internal class FullGraphql(
    private val contextFactory: FullGraphQLContextFactory,
    private val dataLoaderRegistryFactory: KotlinDataLoaderRegistryFactory,
) {
    private val graphQl: GraphQL
    val schema: GraphQLSchema
        get() = graphQl.schema
    val server: KtorGraphQLServer
        get() = graphQl.server
    val subscriptionServer: KtorGraphQLWebSocketServer
        get() = graphQl.subscriptionServer

    init {
        val schema = FullGraphqlSchema.schema
        val config = GraphQLConfiguration(config = ApplicationConfig(null)).apply {
            this.schema.override(schema)
            engine {
                this.dataLoaderRegistryFactory = [email protected]
            }
            server {
                this.contextFactory = [email protected]
            }
        }
        this.graphQl = GraphQL(config = config)
    }
}

4. Parse ktor reques, check correct headers, execute request:

internal class KtorServer(
    private val fullGraphql: FullGraphql,
    private val guestGraphqlServer: GuestGraphql,
    private val tokenService: TokenService,
    private val mapper: ObjectMapper,
) : KoinComponent {
    /**
     * Handle incoming Ktor Http requests and send them back to the response methods.
     */
    suspend fun handle(applicationCall: ApplicationCall) {
        val executeResult = applicationCall.executeByCallType(
            authorizedRequest = {
                fullGraphql.server.execute(applicationCall.request)
            },
            guestRequest = {
                guestGraphqlServer.server.execute(applicationCall.request)
            },
            brokenRequest = {
                applicationCall.response.call.respond(HttpStatusCode.Unauthorized, "No access")
                return
            },
        )

        if (executeResult == null) {
            applicationCall.response.call.respond(HttpStatusCode.BadRequest, "Invalid request")
            return
        }
        val json = mapper.writeValueAsString(executeResult)
        applicationCall.response.call.respondText(contentType = ContentType.Application.Json, text = json)
    }
}