Generic auth with protect-granular mode

[ethdev279]

I’m using @envelop/generic-auth in my GraphQL Yoga server, following this example. I’ve set mode to protect-granular, expecting the resolveUserFn to only be called for fields marked with the @authenticated directive. However, I noticed that resolveUserFn is being called for all fields, including public fields that don’t require authentication.

This behavior adds unnecessary overhead for fields that don’t need user resolution or validation.

What I was expecting:

In protect-granular mode:

• resolveUserFn should only be invoked for fields marked with the @authenticated directive.
• Public fields should bypass user resolution and validation.

Actual Behavior

• resolveUserFn is executed for all fields, including public fields, leading to unnecessary overhead.

Reproduction

1. Schema:

   directive @authenticated on FIELD_DEFINITION
   
   type Query {
     requiresAuth: String @authenticated
     public: String
   }

2. Plugin setup in GraphQL Yoga:

   useGenericAuth({
     mode: 'protect-granular',
     async resolveUserFn(context) {
       const token = context.request.headers.get('x-authorization');
       // further validations: decoding, getting user deails from db e.t.c.
       return token ?? null;
     },
   });

3. Query:

   query {
     public
   }

4. Observe that resolveUserFn is called for the public field.

any thoughts on this?