Schema stitching: how to implement headers pass-through?

[wujekbogdan]

I have a GraphQL server that requires authorization via bearer token. Normally this token is provided by client.
I want to introduce another front-end to that API taking advantage of schema stitching, but I still want API calls to require bearer-token-based authorization.

That's the code I have at the moment:

import { createServer } from 'node:http';
import { buildHTTPExecutor } from '@graphql-tools/executor-http';
import { schemaFromExecutor } from '@graphql-tools/wrap';
import { createYoga } from 'graphql-yoga/typings';
import { stitchSchemas } from '@graphql-tools/stitch/typings';

const makeSchema = async () => {
  const executor = buildHTTPExecutor({
    endpoint: process.env.MY_URL,
    headers: {
      authorization: `Bearer ${process.env.MY_TOKEN}`,
    },
  });

  return {
    schema: await schemaFromExecutor(executor),
    executor,
    transforms: [
      // My custom transforms
    ],
  };
};

const yoga = await createYoga({
  schema: stitchSchemas({
    subschemas: [await makeSchema()],
  }),
});

createServer(yoga).listen();

With this code I provide the token on the server side and expose unprotected GraphQL server to clients. That's not what I want. I still want API requests to require authorization.

Is there any way I can still use the server-side token to build the executor, but still autorize cliend-sider requests using a token provided by clients?

[wujekbogdan]

The solution workaround I found is the following:

const makeSchema = async () => {
  const initialExecutor = buildHTTPExecutor({
    endpoint: process.env.MY_URL,
    headers: {
      authorization: `Bearer ${process.env.MY_TOKEN}`,
    },
  });

  const runtimeExecutor = buildHTTPExecutor({
    endpoint: process.env.MY_URL,
    headers: (executorRequest) => {
      // Get the original request header from the client call
      const authorization =
        executorRequest?.context?.request?.headers?.headersInit
          ?.authorization ?? '';

      // Use that header to authorize Energy Core GraphQL requests
      return {
        authorization,
      };
    },
  });

  return {
    schema: await schemaFromExecutor(initialExecutor),
    executor: runtimeExecutor,
    transforms: [
      // My custom transforms
    ],
  };
};

But it doesn't seem very elegant because the official docs say:

Executors are not responsible of validating the requests. By default, the validation is expected to be done on the gateway level based on the gateway request, because the remote APIs should already do the validation. However, if you still want to validate the request on the subschema level, you can use the validateRequest option of the subschema configuration objects.

The problem is that validateRequest property doesn't appear to be a valid option for buildHTTPExecutor() it neither exists on the subschema configuration object. I found that only the delegateToSchema() function supports this argument.

I suppose I'm missing something.

[ardatan]

Request validation is a different thing and completely unrelated to your situation. Your solution is correct and it is not a workaround because executor and stitching cannot know the shape of your context which is implementation specific.

[wujekbogdan]

Thank you!