Is anyone successfully using the CRUD generated resolvers in a production environment?

[eduardolundgren]

I've been exploring the CRUD generated resolvers provided by typegraphql-prisma and found them immensely powerful, especially when it comes to handling complex use-cases involving nested relations, connect, and connectOrCreate during updates.

However, I'm facing significant challenges when it comes to implementing a robust authorization layer on top of these generated methods. While Authorized and Middlewares are useful tools in TypeGraphQL, their application seems tricky in the context of our generated resolvers, particularly when our schema involves real-world relations like a User, Organizations, and an intermediary Memberships table for associating users to orgs.

I wanted to reach out to the community and inquire:

1. Is anyone successfully using these CRUD generated resolvers in a production environment?
2. If so, how have you approached adding authorization, especially in scenarios with nested relations or connect/connectOrCreate operations?
3. Are there best practices or patterns you'd recommend to make this process smoother and more secure?

Any insights or shared experiences would be greatly appreciated. I believe that understanding this better can potentially benefit many others looking to utilize typegraphql-prisma to its full potential.

Thank you!

model User {
  id Int @id @default(autoincrement())
  email String @unique
  password String
  firstName String
  lastName String
  memberships Membership[]
  /// @TypeGraphQL.omit(input: true)
  role Role @default(USER)
}

model Organization {
  id Int @id @default(autoincrement())
  name String
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
  repositories Repository[]
  applications Application[]
  memberships Membership[]
}

enum Role {
  ORGANIZATION_ADMIN
  ORGANIZATION_OWNER
  ORGANIZATION_MEMBER
  USER
  SYSTEM_ADMIN
}

model Membership {
  user           User         @relation(fields: [userId], references: [id], onDelete: Cascade)
  userId         Int
  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
  organizationId Int
  role           Role
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
  active Boolean @default(true)
  @@id([userId, organizationId])
}

[jbeckton]

I don't have anything in production but you could look at how Strapi or Directus, both opensource, handle authorization. They both generate graphql apis from a definition of sort. I personally plan to utilize CASL for mine. CASL will allow you to create abilities based on object structures that can define field level access.

[eduardolundgren]

Thank you for the suggestions. I will definitely check out Strapi and Directus to see how they handle authorization.