Restrict private data to the owner user only

[nassim-kachroud]

Hey guys!

First, thanks a lot for the efforts in it, it works like a charm!
I'm currently working on a e-commerce GraphQL API and I would like the best solution to protect fetching private data owned by the logged in user.
I used a auth-checker to make sure that a user is logged in but for example, how can I make sure that users can fetch only orders, coupons... they own?

Thanks a lot!

[MichalLytek]

orders, coupons... they own

It's a business logic so you need to write your own resolvers which will translate orders query into proper where conditions of prisma client findMany method.

[nassim-kachroud]

I just did it with only 1 table Categories: same error...

[nassim-kachroud]

I uploaded the sample code that you can clone from here:

https://github.com/nassim-kachroud/test

[MichalLytek]

@nassim-kachroud Do you know that when you read release notes for the newest release, you also need to install it?
Your package.json: "typegraphql-prisma": "^0.11.2",
0.12.0 release notes: https://github.com/MichalLytek/typegraphql-prisma/releases/tag/v0.12.0

I won't even address compilation errors caused by wrong imports:

[MichalLytek]

You should stop using --transpile-only and start checking the TypeScript output e.g. via IDE.

[MichalLytek]

Upgrading to Prisma 2.19 and this library to 0.12.0 fixes the issue:

[INFO] 13:53:55 ts-node-dev ver. 1.1.6 (using ts-node ver. 9.1.1, typescript ver. 4.2.3)
🚀 Server ready at: http://localhost:4444
Query "findFirstCategories" accessed