access to the JWT data inside the permission query

[marktani]

Issue by kurt-o-sys Friday Jun 16, 2017 at 14:19 GMT Originally opened as https://github.com/graphcool/prisma/issues/251

---

graphcool provides a very course integration with auth0 JWT. If the JWT data is available inside the permission query, fine-grained access would be possible. The permission flow would be like this:

1. Check JWT validity - check if the user is authenticated. This already exists.
2. Use JWT data for further authorization logic, which could be:
   • general access for all types and fields based on other fields. For example, having a approved field in the JWT data would require a user to be approved (by a user admin) before (s)he can do something
   • specific very fine-grained access in the permission query, in which on could check for certain roles, permissions or groups in the JWT. For example, a app_metadata/role/admin can perform mutations and creations, while a app_metadata/role/user can only view data. Or even field-specific stuff.

Leaving user management in auth0 has, in certain cases, quite some advantages, the main one: a user admin can handle the auth0 dashboard, but may not be able to understand how to work with a database such as graphcool. It's just about decoupling user management (incl. roles/groups/permissions) from database and app logic.

FR: make JWT payload/data available in the permission query.

[marktani]

Comment by kurt-o-sys Thursday Dec 21, 2017 at 02:08 GMT

---

This is still open... is there any progress?