Skip to content

Feature Request Standardize Declarative Authorization and Validation via Pothos Plugins #5199

@h30s

Description

@h30s

Is your feature request related to a problem? Please describe.

Currently, almost every GraphQL resolver manually handles authentication, authorization, and input validation within the resolve function (e.g., createUser.ts, allUsers.ts). This results in significant code duplication (15-30 lines of boilerplate per file), makes security audits difficult, and increases the risk of forgetting a critical auth check in new fields.

Describe the solution you'd like

I'd like to implement a declarative approach using Pothos plugins (AuthPlugin and a validation plugin like @pothos/plugin-zod). This would move auth and validation logic out of the resolver body and into the field definition.
Benefits:

  • Secure by default: Permissions are explicit and verified at the schema level.
  • Cleaner code: Resolvers focus only on business logic/database operations.
  • Self-documenting: Required roles and validation rules become visible via schema introspection.

Describe alternatives you've considered

  • Continuing with imperative logic: High maintenance overhead and prone to human error.
  • Custom wrapper functions: While possible, using native Pothos plugins is more idiomatic, type-safe, and provides better integration with the GraphQL lifecycle.

Approach to be followed (optional)

  1. Enable AuthPlugin and ValidationPlugin in src/graphql/builder.ts.
  2. Map ctx.currentClient roles (e.g., administrator) to named auth scopes.
  3. Configure global error mapping to ensure validation/auth failures still throw TalawaGraphQLError with the correct extension codes.
  4. Incrementally refactor existing resolvers to use these declarative options.

Additional context

This architectural shift would align the API with modern GraphQL best practices and significantly improve the developer experience for contributors.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions