Extensions

warning Warning This chapter applies only to the code first approach.

Extensions is an advanced, low-level feature that lets you define arbitrary data in the types configuration. Attaching custom metadata to certain fields allows you to create more sophisticated, generic solutions. For example, with extensions, you can define field-level roles required to access particular fields. Such roles can be reflected at runtime to determine whether the caller has sufficient permissions to retrieve a specific field.

Adding custom metadata

To attach custom metadata for a field, use the @Extensions() decorator exported from the @nestjs/graphql package.

  1. @Field()
  2. @Extensions({ role: Role.ADMIN })
  3. password: string;

In the example above, we assigned the role metadata property the value of Role.ADMIN. Role is a simple TypeScript enum that groups all the user roles available in our system.

Note, in addition to setting metadata on fields, you can use the @Extensions() decorator at the class level and method level (e.g., on the query handler).

Using custom metadata

Logic that leverages the custom metadata can be as complex as needed. For example, you can create a simple interceptor that stores/logs events per method invocation, or a field middleware that matches roles required to retrieve a field with the caller permissions (field-level permissions system).

For illustration purposes, let’s define a checkRoleMiddleware that compares a user’s role (hardcoded here) with a role required to access a target field:

  1. export const checkRoleMiddleware: FieldMiddleware = async (
  2. ctx: MiddlewareContext,
  3. next: NextFn,
  4. ) => {
  5. const { info } = ctx;
  6. const { extensions } = info.parentType.getFields()[info.fieldName];
  7. /**
  8. * In a real-world application, the "userRole" variable
  9. * should represent the caller's (user) role (for example, "ctx.user.role").
  10. */
  11. const userRole = Role.USER;
  12. if (userRole === extensions.role) {
  13. // or just "return null" to ignore
  14. throw new ForbiddenException(
  15. `User does not have sufficient permissions to access "${info.fieldName}" field.`,
  16. );
  17. }
  18. return next();
  19. };

With this in place, we can register a middleware for the password field, as follows:

  1. @Field({ middleware: [checkRoleMiddleware] })
  2. @Extensions({ role: Role.ADMIN })
  3. password: string;