Accessing jwt.claim.user_id as variable value in query about crystal HOT 2 CLOSED

without RLS

I hate to be the bearer of bad news but avoiding RLS is highly likely to make your app less secure and more complex

in a typical postgraphile app, the solution to this feature is usually a currentUser query which is defined by a few postgres functions

create function app_public.current_session_id() returns uuid as $$
  select nullif(pg_catalog.current_setting('jwt.claims.session_id', true), '')::uuid;
$$ language sql stable;

create function app_public.current_user() returns app_public.users as $$
  select users.* from app_public.users where id = app_public.current_user_id();
$$ language sql stable;

then assuming that orders has a foreign key to users you can access the current user's orders with a graphql query like

query {
  currentUser {
    orders {
      nodes {
        id
        amount
      }
    }
  }
}  

from crystal.

^ This is the correct answer, thanks Daniel.

Basically: you use the graph-based nature of GraphQL to start at the current user, and then navigate from there to the related orders. You can add a field representing the current user via a database function as Daniel shows, or you can use makeExtendSchemaPlugin along with additionalGraphQLContextFromRequest (v4) or preset.grafast.context (v5) to add the relevant user ID to the context so that it can be used in your resolver (v4) / plan resolver (v5).

If you're really set on not using RLS at all (which I don't think is your question, but just in case), check out https://github.com/benjie/v5-auth-poc which is V5 only and highly experimental (not supported at all - it even needs a patch (included) to work currently).

[semi-automated message] To keep things manageable I'm going to close this issue as I think it's solved; but if not or you require further help please re-open it.

from crystal.