We are using Azure AD auth, and I’ve been rolling out RBAC across the codebase. I had already built it into the front-end and have followed Authentication | RedwoodJS Docs and Role-based Access Control (RBAC) | RedwoodJS Docs
Regarding locking down the back-end, there are guidelines for locking down both Prisma services and GraphQL. Although the two are tightly integrated in the stack, my inclination is that the best approach is to lock down both in case one ends up having a vulnerability. Defense in depth. Layered protection.
My question is regarding the
@requireAuth() GraphQL directive Directives | RedwoodJS Docs listed on the bottom of the Authentication | RedwoodJS Docs page (NB: locking down the GraphQL side isn’t mentioned at all on the RBAC page - I would think it should be - that page only references locking down the services).
I have my RBAC roles defined in a separate module that is imported. I have groups like read only, write access, data manager, admin - this way I can easily control which roles have which access. I often know I want to have all “write access” roles able to call a mutation, for example. Makes it much easier to manage. But I can’t for the life of me find how to pass those into the gql`` query string. I don’t want to pass them as variables in the GraphQL call, because somebody could then pass different values and potentially bypass those protections.
Is there any way to include a string variable within the gql`` schema definition so they can be used in the
I guess the alternative is to roll custom directives (Directives | RedwoodJS Docs) that are group-specific, e.g.
@requireWriteAccess(), but wondering if that’s the best way or if there are alternatives.