Feature Request: Non type related query auth rule

If I have a User type in my schema and I want to do a auth check against that user to access a type, but that user is not related to the type, there is no way to do that.

The auth query rules are limited to the query of the type to which the rule applies.

What would be nice is if I could use the JWT to do a query based upon a predicate attached to the user.

This would allow me to revoke JWTs or even an entire user using just the database and rules. For instance I give the user a JWT with their username. In the database I store a value for User.isActive. Given the JWT I can query this isActive for the user but only to secure the User type. I want to query this to secure other types as well. This would allow me to change the isActive to false which would immediately provide a false auth rule when queries against. The only way to do this right now is to link every User to every node of the type where I want such a rule applied.

4 Likes

Isn’t this something that can be done via the Auth provider that you are using like Auth0 or the likes?

I am using my own JWT generation script. This feature would help control pre-authorized JWTs. Once a JWT is generated, to my knowledge, there is no interaction again with the Auth provider until the user needs to login again.

Any updates on this? I just stumbled over the same problem I think. Like OP said, there is a solution, but adding the user to every Node in the schema sounds bit drastic.

1 Like