inaccessible v0.2
for removing elements from a core schema
| Status | Release |
| Version | 0.2 |
1@inaccessible
directive @inaccessible on
| FIELD_DEFINITION
| OBJECT
| INTERFACE
| UNION
| ENUM
| ENUM_VALUE
| SCALAR
| INPUT_OBJECT
| INPUT_FIELD_DEFINITION
| ARGUMENT_DEFINITIONMark a location within the schema as inaccessible. Inaccessible types and fields are available internally, but not exposed through the public‐facing API:
extend schema
@link(url: "https://specs.apollo.dev/link/v1.0")
@link(url: "https://specs.apollo.dev/inaccessible/v0.2")
type Query {
myself: User
allUsers: [User] @inaccessible
}
type User {
id: ID!
secret: String! @inaccessible
}
type Query {
myself: User
}
type User {
id: ID!
}
2Definitions
This document uses RFC 2119 guidance regarding normative terms: MUST / MUST NOT / REQUIRED / SHALL / SHALL NOT / SHOULD / SHOULD NOT / RECOMMENDED / MAY / OPTIONAL.
2.1Processor
This specification makes references to Processors. Processors are described in the Actors section of the @core spec as an actor which can perform transformations on a core schema. In the case of @inaccessible, the Processor will be expected to remove various parts of a core schema.
3Example: Sensitive User Data
This section is non‐normative.
We’ll refer to this example of a core schema with sensitive user data throughout the document:
directive @core(as: String, feature: String!, for: core__Purpose) repeatable on SCHEMA
directive @inaccessible on FIELD_DEFINITION | OBJECT | INTERFACE | UNION
enum core__Purpose {
EXECUTION
SECURITY
}
schema
@core(feature: "https://specs.apollo.dev/core/v0.2")
@core(feature: "https://specs.apollo.dev/inaccessible/v0.2", for: SECURITY)
{
query: Query
}
type Query {
user(id: String!): User
}
type User {
id: String! @inaccessible
name: String!
email: String!
bankAccount: BankAccount @inaccessible
accounts: [Account]
}
type BankAccount @inaccessible {
id: String!
accountNumber: String!
}
type ForumAccount {
handle: String!
}
union Account = BankAccount | ForumAccount
The schema above contains both a field (User.id) and type (BankAccount) that are marked as @inaccessible. These symbols should be omitted from the processed schema anywhere they would appear. When the processed schema below is generated from this core schema, notice what has been removed:
User.idfieldBankAccounttypeUser.bankAccountfieldAccountunion’sBankAccounttype
directive @core(as: String, feature: String!, for: core__Purpose) repeatable on SCHEMA
enum core__Purpose {
EXECUTION
SECURITY
}
schema
@core(feature: "https://specs.apollo.dev/core/v0.2")
{
query: Query
}
type Query {
user(id: String!): User
}
type User {
name: String!
email: String!
accounts: [Account]
}
type ForumAccount {
handle: String!
}
union Account = ForumAccount4Determining the public API
The processor implementing @inaccessible MUST ensure that it returns a public‐facing API with all @inaccessible items removed:
- Field Definitions marked with
@inaccessibleMUST be excluded - Object types marked with
@inaccessibleMUST be excluded - Object types marked with
@inaccessibleMUST be excluded from membership in any unions - Interfaces marked with
@inaccessibleMUST be excluded - Interfaces marked with
@inaccessibleMUST be excluded from theextendsclause of all other interfaces - Union types marked with
@inaccessibleMUST be excluded - Enum types marked with
@inaccessibleMUST be excluded - Enum values marked with
@inaccessibleMUST be excluded and MUST not be returned to users or accepted as input
@inaccessible types which are not themselves marked @inaccessible will now return an invalid type which is not present in the schema. This is intentional. @inaccessible does NOT cascade. If applying @inaccessible results in an invalid schema, the serving process SHOULD apply standard polices to determine whether or how to serve it. Generally, invalid schemas SHOULD NOT be served, though some server configurations—particularly those used for development—may OPTIONALLY elect to serve such schemas in a degraded mode. The semantics of such a mode are not within the scope of this spec.