graphql-shield: Graphql-shield doesn't work with multipart requests (Graphql-yoga Upload)

Bug report

  • I have checked other issues to make sure this is not a duplicate.

Describe the bug

I found unexpected behavior of graphql-shield while using it for mutations, that accept file of type Upload as parameter. I use it with apollo client, which transforms requests into multipart, if they have some file included.

To Reproduce

  1. This is my GraphQL Schema.
scalar Upload

type Mutation {
  createUser(
    name: String!
    avatar: Upload
  ): User!
}

type Query {
  users: [User!]!
}

type User {
  id: ID!
  name: String!
  avatarUrl: String
}
  1. This is the invoked query
createUser({
                variables: {
                  name: "John Doe",
                  avatar: new ReactNativeFile({
                          uri: values.image,
                          type: 'image/*',
                          name: `IMG_${new Date().toISOString()}`,
                  }),
                },
              })
  1. I use these permissions
const allow = rule()(async (parent, args, ctx: Context, info) => {
  console.log("HERE")
  return true
})

const permissions = shield({
  Mutation: {
    createUser: allow,
  },
})
  1. This is the error I see
Object {
  "data": null,
  "errors": Array [
    Object {
      "locations": Array [
        Object {
          "column": 3,
          "line": 2,
        },
      ],
      "message": "Not Authorised!",
      "path": Array [
        "createUser",
      ],
      "stack": "Error: Not Authorised!
    at normalizeOptions (/banshee/packages/backend/node_modules/graphql-shield/src/shield.ts:32:32)
    at Object.shield (/banshee/packages/backend/node_modules/graphql-shield/src/shield.ts:51:29)
    at Object.<anonymous> (/banshee/packages/backend/src/permissions.ts:245:28)
    at Module._compile (internal/modules/cjs/loader.js:774:30)
    at Module.m._compile (/banshee/packages/backend/node_modules/ts-node/src/index.ts:473:23)
    at Module._extensions..js (internal/modules/cjs/loader.js:785:10)
    at Object.require.extensions.<computed> [as .ts] (/banshee/packages/backend/node_modules/ts-node/src/index.ts:476:12)
    at Module.load (internal/modules/cjs/loader.js:641:32)
    at Function.Module._load (internal/modules/cjs/loader.js:556:12)
    at Module.require (internal/modules/cjs/loader.js:681:19)",
    },
  ],
}

Expected behavior

  • “HERE” displayed in console.
  • User created.

Actual behaviour

  • “HERE” is not displayed in console.
  • User not created, but permissions should not deny this mutation

Additional context

Also, I can successfully create user without avatar.

Versions: backend: “graphql-yoga”: “1.18.0” “graphql-shield”: “^5.7.1” frontend: “apollo-upload-client”: “10.0.0”, “graphql”: “14.2.1”, “react-native”: “https://github.com/expo/react-native/archive/sdk-33.0.0.tar.gz”,

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 5
  • Comments: 17 (10 by maintainers)

Most upvoted comments

@maticzav I’ve created an PR which fixes the problem for me. Can you have a look?

+1
sapkra on Jul 29, 2019

Adding { cache: "contextual" } to the related rules is fixing the problem but it should work by default.

+1
sapkra on Jul 12, 2019

@bkstorm a reproduction repository would be great. 🙂

Okay, I will create a repository.

+1
bkstorm on Jul 3, 2019
Read more comments on GitHub
← graphql-shield: Error thrown inside an async rule are not sent to the fallbackError function
graphql-shield: Performance degradation after applying graphql-shield →