The Guild LogoThe Guild Monogram

Search docs

Search icon

Products by The Guild

Products

Hive logoHive blurred logo

Hive

Schema Registry for your GraphQL Workflows

GraphQL Shield Logo

GraphQL Shield

Get Started

Shield#

Shield generates GraphQL Middleware layer from your rules. You should generate permissions using shield when initialising a schema itself.

import { shield } from 'graphql-shield' const permissions = shield(map)

A rule map must match your schema definition. You should create a collection of rules that you use in your map to define permissions and access to your server. All rules must be created using the rule function to ensure caches are made correctly. You can apply your rule across entire schema, Type scoped, or field specific.

Consider the following example:

const permissions = shield({ Query: { frontPage: not(isAuthenticated), fruits: and(isAuthenticated, or(isAdmin, isEditor)), customers: and(isAuthenticated, isAdmin), }, Mutation: { addFruitToBasket: isAuthenticated, }, Fruit: isAuthenticated, Customer: isAdmin, })

Per Type Wildcard Rule#

There is an option to specify a rule that will be applied to all fields of a type (Query, Mutation, ...) that do not specify a rule. It is similar to the options.fallbackRule but allows you to specify a fallbackRule per type.

// this will only allow query1 and query2. // query3 for instance will be denied // it will also deny every mutation // (you can still use `fallbackRule` option with it) const permissions = shield({ Query: { "*": deny query1: allow, query2: allow, }, Mutation: { "*": deny }, }, { fallbackRule: allow })

options#

PropertyRequiredDefaultDescription
allowExternalErrorsfalsefalseToggle catching internal errors.
debugfalsefalseToggle debug mode.
fallbackRulefalseallowThe default rule for every "rule-undefined" field.
fallbackErrorfalseError('Not Authorised!')Error Permission system fallbacks to.
hashFunctionfalseobject-hashHashing function to use for strict cache

By default shield ensures no internal data is exposed to client if it was not meant to be. Therefore, all thrown errors during execution resolve in Not Authorised! error message if not otherwise specified using error wrapper. This can be turned off by setting allowExternalErrors option to true.