nest-rs-authz 0.2.0

CASL-style authorization for nestrs: one ability definition driving an access gate, a SeaORM query pre-filter, and response field-masking. Transport bindings (`http`, `graphql`, `mcp`) live behind Cargo features; the database-coupled extractors (`Bind`, `bind`, `LoaderScope`, `WsDataContext`) live in `nest-rs-seaorm` so the engine stays free of a data-layer dependency.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

//! GraphQL bindings (feature `graphql`) — the resolver analog of
//! [`crate::http`]: [`GraphqlAbilityBridge`] is the per-operation guard that
//! authenticates and installs the ambient ability; [`authorize`] is the
//! class-level gate; [`ability`] accesses the per-request ability. Importing
//! this module submits the `GraphqlContextSeed` that forwards `Arc<Ability>` into
//! each operation's GraphQL context.
//!
//! Data-coupled bindings live in `nest_rs_seaorm::graphql` (`bind`,
//! `LoaderScope`).
//!
//! ```ignore
//! #[resolver]
//! impl UsersResolver {
//!     #[query]
//!     async fn users(&self, ctx: &Context<'_>) -> Result<Vec<User>> {
//!         authorize::<Read, users::Entity>(ctx)?;
//!         // ...
//!     }
//! }
//! ```

mod authorize;
mod bridge;
mod context;
mod mask;

pub use authorize::authorize;
pub use bridge::GraphqlAbilityBridge;
pub use context::ability;
pub use mask::{masked_output, masked_output_for};