Summary: I'm trying to hide the types and fields a user is not allowed to query when retrieving the schema (both through introspection and /graphql/schema printer).

My Context: Kotlin, Spring security and Spring GraphQL (which uses this library GrahpQL-Java).

I have a test application which has the following:

1. I have for each field created a method to return the value.
2. Most of these methods have a spring security annotations like @PreAuthorize("hasRole('READ_SENSITIVE')")
3. With the rest of Spring security in place a user who has the role READ_SENSITIVE gets the value and a user without this role gets an error.

At this point setting permissions and blocking access works as I want it.

The next step I find a lot harder; I want to hide the parts of the schema the current user is not allowed to see. The intent is that the schema returned does not have any fields where the current user does not have the right permissions for. This also means that different users will in general get a different schema when they ask for it.

I have tried to create a custom instrumentation class and in the instrumentSchema method look at the schema (see rough snippet below). With this I have access to the Field definitions and their DataFetchers ...

The hurdle I ran into is that when I finally have access to the DataFetcher of the field the actual DataFetcher implementations consist of mostly (package)private classes and fields.

I have not yet been able to gain access to the underlying method so I can get the @PreAuthorize annotation and do the checks I want.

What is the correct route to get there?
Or is this something that would need some changes in the core library (like adding a Boolean isAllowed() kind of method to the top DataFetcher interace)?

Experimental snippet:

@Component
class SpringSecurityInstrumentation() : SimplePerformantInstrumentation() {

    override fun instrumentSchema(
        schema: GraphQLSchema,
        parameters: InstrumentationExecutionParameters,
        state: InstrumentationState?
    ): GraphQLSchema {

        val codeRegistry = schema.codeRegistry
        for (type in schema.typeMap.values.filter { it is GraphQLObjectType }.filter {!it.name.startsWith("__")}.map { it as GraphQLObjectType }) {
            for (field in type.fieldDefinitions) {
                println("Field: ${type.name} --> ${field.name}")
                val dataFetcher = codeRegistry.getDataFetcher(type, field)
                when (dataFetcher) {
                    // IS PACKAGE PRIVATE ...
                    is ContextDataFetcherDecorator ->
                }
                println(dataFetcher)
            }
        }

        if (SecurityContextHolder.getContext().authentication == null) {
            println("Anonymous")
        }
        else {
            println(SecurityContextHolder.getContext().authentication.name)
        }
        return super.instrumentSchema(schema, parameters, state)
    }
}