Yes, thanks to the Guild, release 1.0 does use GraphQL Yoga. Please see the announcement here: Redwood 1.0.0-rc.final is Available 🚀
tl;dr:
Yarn 3 Hits the Primetime
So. Many. New Deploy Providers: baremetal, Flightcontrol, and Layer0
GraphQL Server goes Yoga
At the moment, the authentication model out of the box supports RBAC but not ABAC or permissions.
This is on the roadmap for v2. Auth0 and Okta and others do have some mechanism to set that info in their access tokens. Others like Supabase are also thinking about having this feature in the future.
This is something that if you are interested in, you could help define and pick the right tools and patterns – for example, evaluating packages like CASL.js to too if it is a good fit? Redwood will likely need and RFC to help guide that design and implementation process and we’d welcome your (and everyone’s) input.
At the moment, though you may be able to implement something on your own using a Validator Directive – FYI @requireAuth is just prepackaged validator directive – and then do your checks api side.
For web side, if you store some permission info on the user metadata, you may be able to do some permissions checks, but in a page/component rather at the router level.