More simple auth rules

Hey, so I saw some examples with the auth directive and I found it quite hard to keep track of all rules, cause it’s defined very bulky and unreadable.

I’d like to suggest something like authRole(…) where you just say what “ROLE” specification needs to be defined in the JWT.

Since your requirements vary from project to project, it would be also useful to define your own directives.

From now I’m thinking about creating a lambda field where my javascript decides about auth, or creating a simple coding language that evaluates permissions (edit: like firebase as you mentioned), as a workaround :slight_smile:

1 Like

I disagree with authRole, as that assumes we want to always control the query by a role. It could be any variable that means anything in JWT, as many projects have different needs.

However, I strongly agree with this and find the auth rules very bulky and hard to keep track of. My suggestion would be to have auth rules separate from the schema.

There are also no validation rules, as you have to use custom lambdas to keep track of this until the day where validation rules are available. My suggestion would be to somehow merge the two together auth rules and validation rules into something similar to firestore rules:

Here you can see an example of how this works:

Firestore Security Rules Cookbook

This is a must for security.