auth.js

const hasRole = (role, next) => {
  return (obj, args, ctx) => {
    if (ctx.rootValue.user.hasRole(role)) {
      next(obj, args, ctx);
    } else {
      return null;
    }
  }
}

graphql.js

const { query, variables } = request.params; // from the request
const user = db.getUser(request.session.userId); // from your session -- pretend it has user id or something!

graphql(schema, query, {user}, variables); // shove the user in the root value

schema.js

const UserType = new GraphQLObjectType({
  name: 'User',
  fields: {
    email: {
      type: GraphQLString,
      resolve: (user, _, {rootValue}) => {
        // only the current user can see their email
        // can imagine this checking admin roles and stuff
        if (user.id === rootValue.user.id) {
          return user.email;
        } else {
          // maybe you can throw to add an error to the response!
          return null;
        }
      }
    },
    socialSecurityNumber: {
      type: GraphQLString,
      resolve: hasRole('admin', user => user.socialSecurityNumber)
    }
  }
});

@bostonou I can't stop:

https://www.youtube.com/watch?v=7lm3K8zVOdY

This was a talk from clojure/conj 2014 where a bank actually filters a datomic database to only include attributes a user can see. This means any query can be run safely as the only attribute values which can possibly be returned are authorized.

I have _zero_ idea if this is a good / bad idea, but definitely neato. And cognitect has included them in literature so maybe its a great idea, I dunno!

http://blog.cognitect.com/blog/2015/9/14/nubank