GraphQL Middleware Resolver

System Information
  • Strapi Version: 4.8.2
  • Operating System: Mac
  • Database: Postgres
  • Node Version: 16.18
  • Yarn Version: 1.22.19

Hi,

Goal:
I try to create a middleware that allows me to put two restrictions in place.
a). Only allow users who are creators of a content type can edit it (e.g. author of a comment)
b). Public users should only see 5 results for nested content (e.g. see only 5 comments for a block posts out of 30 comments). Authorised users should be able to see all.

Context

  • The content may be nested (e.g. posts have comments nested below)
  • This is about users & permissions plugin, not admin users.
  • All is done in GraphQL, not with Rest APIs

Current approach:
In the middleware I execute the following code:

export default async (resolve, parent, args, context, info) => {
  const res = await resolve(parent, args, context, info)
  const {value, ...rest} = res
  const val = await value

  // conditions: 
  // only allow users who are creator of the content to edit it
  // do manipulation (e.g. limit results)

Issue with the approach:
The val variable only contains the upper level content (e.g. Post), but the nested content is missing (e.g.repeatable components such as comments and relational data such as users).

Questions:

  1. What would be the best way to achieve this? Can I get access to nested content? Where else would I be able to implement these rules?
  2. Can I only control the actions “Query” and “Mutation” or also “findOne”, “findMany”, etc.
  3. Bonus question: is there a nice way to type middleware with TypeScript?

Other tested approaches:

  • Manipulating the resolver → I think this could work. But I would have to rewrite every resolver which seems wrong
  • Using policies → seem to not give access to the resolver
  • Using Admin users and with that the option for conditions and advanced RBAC → I don’t think that content (Posts, Comments) can be created via GraphQL as a admin user. I also don’t think this is how it would be intended.

Thank you very much for any hint in the right direction! I have been searching for a few days :).

Hey @NilsMich - did you ever figure this out?
I have a similar scenario and so far using middleware with GraphQL has been like walking in pitch darkness.

There is barely any documentation on it.