search

SoftInstigate / restheart

Open Source Low-code API development framework Featuring ready-to-go Security and MongoDB API
http://softinstigate.github.io/restheart/
GNU Affero General Public License v3.0
792 stars 170 forks source link

Add auth GraphQL directive to control field visibility according to auth roles #478

Open ujibang opened 10 months ago

ujibang commented 10 months ago

Brief overview

Enhance GraphQL authorization providing a field directive to enforce visibility on the basis of client role.

Rationale

Currently RH allows to provide different views to different roles with the so called multi-schema solution: see https://restheart.org/docs/security/security-hardening#define-role-specific-graphql-applications

A more flexible approach is providing a directive to control field visibility:

type Query {
  hidden: String! @visible(roles:["foo", "bar"])
  person(id: ID!): Person
}

See also https://www.graphql-java.com/documentation/field-visibility/

Detailed documentation

TBD