Strategies for authorization

[olup]

I am watching this project with great hopes.

From experience, an auto-generated db-to-api systems needs two crucial things:

• Extension with custom logic (here it's a given as we can select what to expose and expand the schema with custom resolvers)
• Integrating some authorization scheme

There used to be projects like graphql shield that tried to offer that as universal third party, but is not maintained anymore. Some framework like postgraphile or pg_graphql rely on RLS, but I always thought Authr should live in the codebase, plus column based security is hard to nail.

So my question would be - what do you recommend as good practice to add authorization in a drizzle-graphql stack ? Is there a plan to include something in the library itself ?

Cheers

[Sukairo-02]

Well, for now you can reuse the generated types, add extra input field for auth and wrap generated by drizzle-graphql handler in your own with auth check. As long as you keep the names of input fields the same - everything should work fine.

[olup]

Actually I just reviewed graphsl-authz as a maintained auth layer over any schémas that could fit the bill