When using useGenericAuth Query Objects not passed Directives

[MDrooker]

Bug-
Is there a different way to validate the directives on Query objects? I do get them passed on the fields that I have added the same directive on, but not topLevel Query.

We are using the userGenericAuth plugin with this config-

useGenericAuth({
    resolveUserFn,
    validateUser,
    mode: 'protect-granular',
})

I have a schema that looks like this-

directive @auth(role: Role!) on FIELD_DEFINITION | OBJECT | QUERY | MUTATION
enum Role {
  ADMIN
  MEMBER
}
type Query {
  event(
    """Filter by fields"""
    filter: FilterFindOneeventInput
  ): 
event @rateLimit(window: "1s", max: 5, message: "Too many requests, please try again later") @admin(role: "ADMIN")
}

I am trying to lock down the event query for only users with the role "ADMIN".
The user object being created looks like this returned from the reolveUserFN-

return {
        name: 'Jim',
        role: 'ADMIN'
}

Per the documentation the validateFunction should be the place to determine if an object has a directive attached to validate the perms of the current userObject
Ours looks like =

const validateUser = ({ user, objectType, fieldNode, fieldAuthDirectiveNode }) => {
    const schemaCoordinate = `${objectType.name}.${fieldNode.name.value}`;
    const valueNode = fieldAuthDirectiveNode?.arguments?.find(arg => arg.name.value === 'role').value
    console.log(schemaCoordinate)
    console.log(valueNode)
    return null
}

But when each field is validated, the query type of

Query.event

Has undefined returned for the fieldAuthDirectiveNode.

We are using
"@envelop/core": "^2.1.0",
"@envelop/generic-auth": "^4.0.0",
"graphql-helix": "^1.12.0"

Thank you

[n1ru4l]

@MDrooker Can you please provide a minimal reproduction on StackBlitz or CodeSandbox or failing test in a PR?

[MDrooker]

Actually its a false alarm...caused by us upgrading to 4.0.

The change documented in the notes-

Now the authorization rules are applied statically before running any execution logic, 
which results in the WHOLE operation being rejected as soon 
as a field in the selection set does not have sufficient permissions.

was the cause.

I guess the real question-
Is there a way to get that functionality back?
We would still return the fields that didnt require any auth vs just returning an empty payload and no errors.
In the example below, title and body fields should still return data. They are being evaluated anyway

Link to sandbox-
https://codesandbox.io/s/envelop-test-reybbs

With this query-

https://reybbs.sse.codesandbox.io/graphql?query=query%7B%0A++event%7B%0A++++eventuuid%0A++++title%0A++++body%0A++%7D%0A%7D

[n1ru4l]

For that use-case the checks can be done in within your object type field resolver functions and the resolve-only mode.

[MDrooker]

Have to ask, this was the behavior before, and each field is still being evaluated in the validateUser FN with the current version. So why the change in thought?

If we moved to do the ObjectType field resolver, doesn't it pollute the concerns that Envelop is solving?

[n1ru4l]

See the description of #998 (comment) on why we decided upon this change.