Hi Guys, Just started using Prisma, loving it so far. I found the following article https://www.prisma.io/blog/graphql-directive-permissions-authorization-made-easy-54c076b5368e/ on how to add authorization to fields and mutation, how should i implement this with auto generated mutations? for example updatePost = admin only?

Hi Max, welcome! Can you explain what you mean by "auto generated mutation?" I'm going to assume you mean the Prisma mutations. Prisma is designed to sit behind an application server (save for very specific use cases). The article focuses on how to secure the application server, not Prisma itself. Prisma is secured by tokens and sitting behind the application server.

@lawjolla Thanks for your answer, so you’re saying that the prisma mutation won’t work if an user would send these to the public graphql endpoint of my nodeserver?

That's right because your're accessing Prisma directly

That makes sense, would be a huge security risk otherwise. Thanks

Are you worried that others may have direct Prisma access? If so, you'll want to make sure it has a security token. For instance, when I access my Prisma's playground, I have to keep giving it a Bearer token

No, I was worried all the prisma generated queries/mutations we’re accessible on the public endpoint 🙂

Gotcha. By default, nothing is available. You have to make the types and/or import them (see

graphql-import

) and make the corresponding resolvers

Thanks, it all makes sense now 🙂

If you want to access Prisma directly, just use forwarding

awesome that reduces boilerplate 🙂