Restrict Read Count for a user , Realm, GraphQl

We are using Realm created default graphql apis , Firebase Auth + Custom Jwt (Mongo Realm).
We want to restrict the api call or documents reads for a non-premium user with in a certain limit ( e.g: Non Premium user can only use the api 5 times)
How can I achieve this scenario with existing functionality ?
Is there any way without using custom-resolvers ?

You should be able to achieve something like this by using custom user data or creating a collection with a mapping of each user to a field that could be called something like premium_limit which defaults to 0 when a user is created. Then you can write a custom resolver that grabs the context.currentUser() and updates this field, while also continuing to do the query if the # is under the limit.

Hopefully that answers your question

@Sumedha_Mehta1 thank you very much for you reply. I understood all the steps you mentioned and looking for the very last step of using custom resolvers. Right now we are using default mongo generated graphql apis form collection schemas. Is there a way to intercept that those graphql requests , something similar to middleware in Node Js? Just wants to avoid righting a custom resolvers atm, due to time constraints.

I don’t think there is a way to intercept those requests unless you implement your own serverside (which may defeat the purpose of using Realm in the first place).

There are a few more ways to go about this:

  • Permissions (I should have mentioned this one earlier): you can add permissions + filters for each user, based on their custom user data before they can read/write any data. Your permissions will depend on checking limit you specified in the custom user data (see examples here). GraphQL will automatically apply these permissions when you make any requests.
    One thing to note is that you will have to appropriately handle the ‘Access Not Granted’ error on the client if the user no longer has access.

  • write a Realm function that checks the limit for the user and one that updates the limit. Call the function to check the limit before deciding to do the API call. Call the function to update the limit after the API call is finished

1 Like

Great, Understand your points.
Just want to add few points on top of it,

  1. Client Side Count Handing is one of the way. Our concern is , if some one gets access to the idtoken then they will be able to make the call , without counts get updated . (using different client )
  2. If Possible in near future , some middleware or hooks can be implemented ( I am keeping aside the custom resolver idea) to handle these kind of scenarios and third party integrations
    We really liked the Realm Product and Planning to use it as our default backend going forward and also looking for Flutter support for Realm and Background Sync

Thanks for the feedback and glad you liked it.

I will say that the recommended approach here would be permissions + functions. However, you can add the feedback items you listed here so the product team can get a good idea of how many users are requesting certain features and prioritize appropriately. Thanks!