-
When using generic auth in "protect-all" mode the documentation states:
This does not seem to be true. The validateUser always gets called, even when @skipAuth is set on the field. I am not sure if documentation is wrong or there needs to be a check added to the plugins handleField function when @skipAuth is enabled. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
Hey @aslansky do you think you can provide a minimal reproduction on CodeSandbox or Stackblitz or even better a PR with a failing test? |
Beta Was this translation helpful? Give feedback.
-
The behaviour is the same for @auth and @skipAuth, but as I said, I am not sure if this is expected behaviour and the user needs to handle the check for fieldAuthDirectiveNode and fieldAuthExtension in the custom validateUser function. |
Beta Was this translation helpful? Give feedback.
-
@aslansky From the test it is now more clear to me.
Does that make sense to you? In the meanwhile I will change this issue to a discussion! |
Beta Was this translation helpful? Give feedback.
@aslansky From the test it is now more clear to me.
validateUser
is called in that case as well because the field could behave differently based on whether a user is authenticated or not. E.g. if you have aQuery.feed
field it could either resolve to a generic feed if the user resolved fromvalidateUser
isnull
or a customized user feed if the user resolved fromvalidateUser
is non-null
9e.g. a user object).Does that make sense to you? In the meanwhile I will change this issue to a discussion!