Support for Single GraphQL Schema with Public and Authenticated APIs in Rebing GraphQL (Laravel) Using a Single Endpoint

[kamleshavdevs]

I'm working on a Laravel project using the Rebing GraphQL package and have the following requirement:

Both public operations (like login and registration) and authenticated operations (protected APIs) should be accessible through a single GraphQL endpoint.
Public operations such as login and registration should not require the auth:api middleware.
Other operations should be protected by the auth:api middleware and accessible only to authenticated users.

Current Approach:
Currently, I have a single schema in graphql.php that contains both public and authenticated operations. However, I need to conditionally apply the auth:api middleware based on the type of operation (public or authenticated).

Config file:

'schemas' => [
        'default' => [
            'query' => [],
            'mutation' => [
                \App\GraphQL\V1\Auth\Mutations\RegistrationMutation::class,
                \App\GraphQL\V1\Auth\Mutations\LoginMutation::class,
                \App\GraphQL\V1\Auth\Mutations\VerifyEmailMutation::class,
                \App\GraphQL\V1\Auth\Mutations\ResetPasswordEmailMutation::class,
                \App\GraphQL\V1\Auth\Mutations\ResetPasswordMutation::class,
                \App\GraphQL\V1\Auth\Mutations\VerifyResetPasswordTokenMutation::class,

                // apply 'middleware' => ['auth:api'] on this only
                \App\GraphQL\V1\Settings\Permission\Mutations\CreateMutation::class 
            ],
            'types' => [
                \App\GraphQL\V1\Auth\Types\RegistrationType::class,
                \App\GraphQL\V1\Auth\Types\AuthenticatedType::class,
                \App\GraphQL\V1\Auth\Types\VerifyEmailType::class,
                \App\GraphQL\V1\Auth\Types\RoleType::class,
                \App\GraphQL\V1\Settings\Role\Enums\StatusEnums::class,

                \App\GraphQL\V1\Settings\Permission\Types\PermissionType::class,
                \App\GraphQL\V1\Settings\Permission\Types\PermissionResponseType::class,
                \App\GraphQL\V1\Common\Types\UserType::class,
                \App\GraphQL\V1\Settings\Permission\Types\PermissionsType::class,
            ],
            'middleware' => [],
            'method' => ['GET', 'POST'],
            'execution_middleware' => null,
        ],
]

class CreateMutation extends Mutation
{
    protected $attributes = [
        'name' => 'createPermission',
        'description' => 'A mutation to create a new permission',
    ];

    public function type(): Type
    {
        return GraphQL::type('permissionResponseType');
    }

    public function args(): array
    {
        return [
            'name' => [
                'type' => Type::nonNull(Type::string()),
                'description' => 'The name of the Permission',
            ],
            'description' => [
                'type' => Type::string(),
                'description' => 'A description of the Permission',
            ],
        ];
    }

    public function authorize($root, array $args, $ctx, ?ResolveInfo $resolveInfo = null, ?Closure $getSelectFields = null): bool
    {
        // Early return if the user is not authenticated
        if (! $user = Auth::user()) {
            return false;
        }

        // Define admin roles
        $adminRoles = ['Super Admin', 'System Admin', 'Admin'];

        // Retrieve the user's roles and check if they have an admin role
        if ($user->roles()->pluck('name')->intersect($adminRoles)->isNotEmpty()) {
            return true;
        }

        // Check if the user has the required permission
        return $user->hasPermission('create-permission');
    }

    /**
     * Resolve the mutation and return the results.
     */
    public function resolve(mixed $root, array $args, mixed $context, ResolveInfo $resolveInfo, Closure $getSelectFields): mixed
    {
        $fields = $getSelectFields();
        $select = $fields->getSelect();
        $with = $fields->getRelations();

        $rules = [
            'name' => ['required', 'regex:/^[a-zA-Z\-]+$/', 'max:255', 'unique:permissions,name'],
            'description' => ['nullable', 'string', 'max:255'],
        ];

        $messages = [
            'name.required' => 'The name field is required.',
            'name.regex' => 'The name field must only contain letters and dashes.',
            'name.max' => 'The name must not exceed 255 characters.',
            'name.unique' => 'The name has already been taken.',
            'description.string' => 'The description must be a string.',
            'description.max' => 'The description must not exceed 255 characters.',
        ];

        // Validate the arguments
        $validator = Validator::make($args, $rules, $messages);

        if ($validator->fails()) {
            throw ValidationException::withMessages($validator->errors()->toArray());
        }

        // Proceed with creating the Permission if validation passes
        $validated = $validator->validated();

        $permission = Permission::create([
            'name' => $validated['name'],
            'description' => $validated['description'] ?? null,
            'status' => Permission::ACTIVE,
            'createdBy' => auth()->user()->id,
            'updatedBy' => auth()->user()->id,
        ]);

        return [
            'status' => true,
            'message' => 'Permission created successfully.',
            'errors' => '',
            'data' => $permission,
        ];
    }
}

Error:

 "errors": [
        {
            "message": "Unauthorized",
            "locations": [
                {
                    "line": 2,
                    "column": 5
                }
            ],
            "path": [
                "createPermission"
            ],
       }
]

[mfn]

Currently, I have a single schema in graphql.php that contains both public and authenticated operations. However, I need to conditionally apply the auth:api middleware based on the type of operation (public or authenticated).

I faced a similar requirement, but that's what multiple schemas are for.

With the current implementation, all queries & types exist in one "global state", so to have truly separate schema, you need to use separately named queries and types, unless you want an overlap.

On my case, I define a public schema with types named PublicUser, etc and queries like publicLogin etc.

Different schemas means I statically defined a different middleware with them, and it's all good. Less dynamic, less magic, easier to reason.