inaccessible v0.2

for removing elements from a core schema

StatusRelease
Version0.2

1@inaccessible

directive @inaccessible on
  | FIELD_DEFINITION
  | OBJECT
  | INTERFACE
  | UNION
  | ENUM
  | ENUM_VALUE
  | SCALAR
  | INPUT_OBJECT
  | INPUT_FIELD_DEFINITION
  | ARGUMENT_DEFINITION

Mark a location within the schema as inaccessible. Inaccessible types and fields are available internally, but not exposed through the public‐facing API:

Example № 1 input schema
extend schema
  @link(url: "https://specs.apollo.dev/link/v1.0")
  @link(url: "https://specs.apollo.dev/inaccessible/v0.2")

type Query {  
  myself: User
  allUsers: [User] @inaccessible
}

type User {
  id: ID!
  secret: String! @inaccessible
}
Example № 2 API schema for input
type Query {
  myself: User
}

type User {
  id: ID!
}

2Definitions

This document uses RFC 2119 guidance regarding normative terms: MUST / MUST NOT / REQUIRED / SHALL / SHALL NOT / SHOULD / SHOULD NOT / RECOMMENDED / MAY / OPTIONAL.

2.1Processor

This specification makes references to Processors. Processors are described in the Actors section of the @core spec as an actor which can perform transformations on a core schema. In the case of @inaccessible, the Processor will be expected to remove various parts of a core schema.

3Example: Sensitive User Data

This section is non‐normative.

We’ll refer to this example of a core schema with sensitive user data throughout the document:

Example № 3 Core schema example
directive @core(as: String, feature: String!, for: core__Purpose) repeatable on SCHEMA
directive @inaccessible on FIELD_DEFINITION | OBJECT | INTERFACE | UNION

enum core__Purpose {
  EXECUTION
  SECURITY
}

schema
  @core(feature: "https://specs.apollo.dev/core/v0.2")
  @core(feature: "https://specs.apollo.dev/inaccessible/v0.2", for: SECURITY)
{
  query: Query
}

type Query {
  user(id: String!): User
}

type User {
  id: String! @inaccessible
  name: String!
  email: String!
  bankAccount: BankAccount @inaccessible
  accounts: [Account]
}

type BankAccount @inaccessible {
  id: String!
  accountNumber: String!
}

type ForumAccount {
  handle: String!
}

union Account = BankAccount | ForumAccount

The schema above contains both a field (User.id) and type (BankAccount) that are marked as @inaccessible. These symbols should be omitted from the processed schema anywhere they would appear. When the processed schema below is generated from this core schema, notice what has been removed:

Example № 4 Core schema after processing
directive @core(as: String, feature: String!, for: core__Purpose) repeatable on SCHEMA

enum core__Purpose {
  EXECUTION
  SECURITY
}

schema
  @core(feature: "https://specs.apollo.dev/core/v0.2")
{
  query: Query
}

type Query {
  user(id: String!): User
}

type User {
  name: String!
  email: String!
  accounts: [Account]
}

type ForumAccount {
  handle: String!
}

union Account = ForumAccount

4Determining the public API

The processor implementing @inaccessible MUST ensure that it returns a public‐facing API with all @inaccessible items removed:

Note Applying this process may result in an invalid schema. For example, fields which return @inaccessible types which are not themselves marked @inaccessible will now return an invalid type which is not present in the schema. This is intentional. @inaccessible does NOT cascade. If applying @inaccessible results in an invalid schema, the serving process SHOULD apply standard polices to determine whether or how to serve it. Generally, invalid schemas SHOULD NOT be served, though some server configurations—particularly those used for development—may OPTIONALLY elect to serve such schemas in a degraded mode. The semantics of such a mode are not within the scope of this spec.

§Index

  1. @inaccessible
  1. 1@inaccessible
  2. 2Definitions
    1. 2.1Processor
  3. 3Example: Sensitive User Data
  4. 4Determining the public API
  5. §Index