Variable Declaration Directives / Secret Hiding

[clayplumridge]

Our Scenario

We're using a DiagnosticObserver to log query executions along with their payloads:

[DiagnosticName(DiagnosticNames.StartQuery)]
public void BeginQueryExecute(IQueryContext context)
{
    _logger.LogInformation("Beginning GQL Query Execution\nQuery: {Query}\nParams: {Params}", context.Request.Query.ToString(), String.Join(' ', context.Request.VariableValues.Select(x => $"[{x.Key}, {x.Value.ToJson()}]")));
}

However, we sometimes communicate secrets to HotChocolate, and don't want to store those in logs. What we'd like to do is allow consumers to identify input variables as Secrets, detect that directive in our logger, and instead use "****" when stringifying it within the logger.

Eg:

query myCustomQuery($id: String!, $mySecret: String! @secret) {
    /* Other stuff goes here */
}

For the variables, would produce:

[id, "SomeValue"] [mySecret, "****"]

However, when I attempt something like this, once HotChocolate parses the query, it outputs as (on this log line):

query myCustomQuery($id: String!, $mySecret: String!) {
    /* Other stuff goes here */
}

Which has the directive dropped, implying that it isn't getting parsed correctly / at all. In this scenario, I've not defined a DirectiveType that would correspond to this Directive, which I suppose could be a cause. Which DirectiveLocation should I use for this if that's the problem?

The GQL spec is... fuzzy as to whether this is a supported scenario or not. I did find PRs that are almost 2 years old attempting to test HotChocolate's ability to consume these kinds of directives, but it's unclear to me if this is still supported or not.

If this method of interaction isn't supported, do you have any other suggestions as to how to make this work? Something like a Query-level directive we've also considered, but it's not nearly as good:

query myCustomQuery($id: String!, $mySecret: String!) @secrets(variableNames: ["mySecret"]) {
    /* Query Body */
}

Thanks! And thank you for developing and maintaining this project; my team is using it to great effect and we really appreciate the time, effort, and care that's gone into it.

[michaelstaib]

The 2018 GraphQL Spec is quite clear on that this is not supported:
http://spec.graphql.org/June2018/#sec-Type-System.Directives

However, the upcoming GraphQL Spec 2020 will add support for that. We also have implemented this already. It might just be that the query syntax printer has a bug and does not output it.

I will have a look at this.

[michaelstaib]

This should be possible now.