GraphQL Viewer for mutations

Question

Is it a good practice to have a viewer for GraphQL mutations? Theoretically this makes sense to me as some mutation end points shouldn't be possible if you are not logged in, etc.

But when I see examples on the web, I only see implementation of GraphQL viewers for queries. For mutations, I do not see any implementation of viewers. For example, the GitHub API doesn't have a viewer on top of all their mutations.

Answer 1

The viewer field isn't a good practice, either for mutations or queries. It's a remnant of Facebook's legacy GraphQL platform from before it was open-sourced, which didn't allow arguments on root query fields. This meant that all of the fields needed to be moved one level down, below viewer.

The current way to do auth in GraphQL, at least in the JavaScript implementation, is by getting the user data based on something like an HTTP header and putting it on context, as mentioned here: http://graphql.org/learn/authorization/

Therefore, there is no reason to do viewer for mutations, or for queries. Most GraphQL clients don't mind, but one situation where it could make sense to have it in queries specifically is if you are using Relay 0.x, which has inherited some of Facebook's legacy GraphQL limitations. Hopefully a future version of Relay will remove this requirement.

For an additional source, read this comment from Lee Byron, one of the original creators of GraphQL.