Model-level authorization

Model-level authorization

You can now apply rules at the model level in your schema.

Consider the following global rules:

schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [{ allow: private, operations: ["read"] }]
  ) {
  query: Query
}

type User @model {
  id: ID!
  title: String!
}

Now let's add the @auth directive to the User model:

schema
  @auth(
    providers: [{ type: oidc, issuer: "{{ env.ISSUER_URL }}" }]
    rules: [{ allow: private, operations: ["read"] }]
  ) {
  query: Query
}

type User
  @model
  @auth(
    rules: [
      { allow: private, operations: ["read"] }
      { allow: groups, groups: ["admin"] }
    ]
  ) {
  id: ID!
  title: String!
}

You can see from the example that even group-based auth can be configured on a per model basis — learn more. These rules will override the global auth.

We'd love to hear your feedback and ideas, so join us on Discord.