GraphQL RBAC without JWT roles!

What is great about this, is that is you update a user’s role you can use the same token above and it will immediately resolve the rules for their new role. No longer will you have to force users to sign out and sign back in to grant additional roles. Also the best benefit in terms of security, is that if a user becomes compromised, you can immediately revoke the role for that specific user without waiting for them to destroying their token or even worse invalidating all users tokens to make the application secure.

2 Likes

This is absolutely wonderful, and the best workaround for DGraph that I have seen!

That being said, this should STILL be built-in so that the @auth rules can use external types out of the box:

J

1 Like