Field-level Authorization

Field-level Authorization

You can now configure rules for fields — learn more.

Consider the following global rules:

schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [{ allow: private, operations: [read] }]
  ) {
  query: Query
}

type User @model {
  id: ID!
  name: String!
  adminNotes: String
}

Now let's add the @auth directive to the adminNotes field so that only members of the admin group will be able to modify it:

schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [{ allow: private, operations: [read] }]
  ) {
  query: Query
}

type User @model {
  id: ID!
  name: String!
  adminNotes: String @auth(rules: [{ allow: groups, groups: ["admin"] }])
}

Field rules replace model/global rules.

We'd love to hear your feedback and ideas, so join us on Discord.