Calling a custom code when a GraphQL call is rejected due to restricted type

I’m using Tyk as a gateway to GraphQL API when some fields have restricted access specified via security policies.

Question: is it possible to execute some custom plugin when a user attempts to access a GraphQL field which is restricted for them?

Alternatively, am I even to know that some user attempted to access a restricted field and failed? For example, should I analyze Tyk logs for this?

Question: is it possible to execute some custom plugin when a user attempts to access a GraphQL field which is restricted for them?

Yes, it’s possible. The token session object details contains the access_rights information which holds the restricted_types.fields. We have a number of plugins languages you could leverage to achieve this. For example, you would achieve this in the PostMiddleware section if you were using Javascript.

Alternatively, am I even to know that some user attempted to access a restricted field and failed? For example, should I analyze Tyk logs for this?

I don’t think it’s necessary, however, it depends on what your use case is or what you are trying to achieve. A custom response during a check in the custom plugin should suffice. Unless you have other ideas.

One thing to note is that for the request or response details of the analytics to be exported, you would need to enable detailed recording. That could significantly increase the data for the exported analytics. So I guess, its not worth it unless you are debugging stuff or trying to filter through some critical data.

1 Like