Hey 🙂 We have basic auth set up using graphql-shield that checks auth via bearer token, but we want to further restrict what data they can access down to specific rows. eg. User A owns records 1, 2, 3 User B owns record 4, 5, 6 We ended up with something like

const isAuthed = rule()(async (parent, args, ctx) => {
  const recordId = ctx.where?.id?.equals;

  /* do rest of auth using recordId */ 
}

This obviously sucks because if the FE chooses to use

in

or

contains

or any other input, it won't work. One thing we have thought is to allow something like

query getRecords { 
  records(recordId: "someId") {
    uuid
  }
}

But when creating the record query we have

t.crud.records({ filtering: true, ordering: true, pagination: true });

and we can't find a way to say for type

query

on

records

accept a

recordId

argument. The other option is to run the query and then check when it comes back. Anybody have any thoughts on how they are authorising these types of owned records?

@Swapnull 👋 I think one way to do this would be setting the

userId

beforehand in the resolver after adding the filters. Something like:

prisma.record.findMany({
  where: {
    userId: 1,
    ...restOfTheFilters
  }
})

This is something that could be explored where the

userId

can be obtained from the

context

. I’m doubtful that this could be solved with

graphql-shield

due to the fact that the filter arguments could contain anything here. Let me know if this is a viable solution.

Thanks Ryan. This is actually the way one of our devs suggested and is started trying out yesterday. It seems like it is going to be the most flexible way to achieve what we want. Thanks for validating