The #1 missing piece for graphql to be clearly way better than alternatives (IMHO), is a functional authorization rule engine. Basically, we need a way to easily write fine-grained attribute-based access control functions like “allow authors to edit and delete the content field of their posts” or “only allow doctors to see records for their patients” — inspired by Nader Dabit’s (et al) interesting work on AWS amplify auth directive here: [packages/graphql-auth-transformer/src/ModelAuthTransformer.ts](https://github.com/aws-amplify/amplify-cli/blob/master/packa...) I carped on the Apollo folks about this and provided a [hackish Ramda solution](https://github.com/ardatan/graphql-tools/issues/1234#issueco...) which seems to have helped lead to [functional directives in graphql-tools](https://www.graphql-tools.com/docs/schema-directives#at-leas...) but still there’s no fine grained ABAC lib I truly love for simplicity.
How can Nexus / Prisma be used to implement custom functional [auth] directives?
SQL is nice for this, and I eventually switched to that, but the column and row level security work independently and are pretty verbose. It would be amazing if sql row/column security were more tightly integrated...
Hey this seems like a in interesting problem to solve at the library-level.
I'm a small contributor to an nice and modular Accounts/User library built in typescript. It's compatible with several databases, and can be used both with REST and GraphQL transports.
It does have indeed an @auth directive you can use, you can also extend new directives which for example are related to a custom ROLE === ADMIN check, etc, but you need to build this yourself.
No problem! lemme know if you need any help/pointers, we also are on slack although is a pretty silent channel you can DM me there if you want or just @me in github same username than here if you open an issue in the repo or something!
PS: I might update some work I did adding oauth with facebook and accompain it with a decent blogpost about how to use the library!
Hasura is legit -- I love it, but eventually decided to switch to plain SQL because this keeps the authorization spec closer to the data as opposed to being in the app layer. Problem is, then you need a great way to handle schema migrations, which are not ideal in PostgreSQL right now. I completely agree Hasura is one of the best options if you're only connecting to the database using Hasura. I just wanted to preserve the option to connect to the database through other means. Maybe that's dumb.
A while back I spent a good few weeks wrangling with NestJS and various other frameworks before I came across Nexus. I managed to rebuild my entire application—all of the work I'd done over the past few weeks—in a few hours with Nexus. Perhaps it was my specific use case, or because I'm a front-end dev primarily, but it really felt like one of those "this is what I've been looking for" moments at the time, similar to how I remember feeling about Vue.js back in 2015. I really like what I see from the Prisma team and I hope I get more chances to use Nexus in future. Congratulations on the release!
How can Nexus / Prisma be used to implement custom functional [auth] directives?
SQL is nice for this, and I eventually switched to that, but the column and row level security work independently and are pretty verbose. It would be amazing if sql row/column security were more tightly integrated...