The usual way for doing authentication with Absinthe is to write some middleware. However, this has the unfortunate side effect of revealing some details to unauthenticated connections.
For example, an unauthenticated connection can hit my API with a valid mutation identifier, say
createAccount with an empty body and - because I have specified some
non_null fields in my input - they won’t be rejected with “unauthenticated” error message. Instead, they will get some errors like “[field] has an invalid format NULL, should be INT/STRING/ID” or something like that.
Basically, is it possible to write middleware that happens before document validation?