@cedarjs/internal 4.0.0-canary.13813 → 4.0.0-canary.13814

package/dist/cjs/generate/gqlormSchema.d.ts

@@ -22,6 +22,13 @@ export interface BackendModelInfo {
     fields: BackendFieldInfo[];
     idField: BackendFieldInfo | undefined;
 }
+export interface GqlormBackendConfig {
+    membershipModel: string;
+    membershipModelCamel: string;
+    membershipUserField: string;
+    membershipOrganizationField: string;
+    membershipModelExists: boolean;
+}
 /**
  * Map a DMMF field type to its GraphQL SDL equivalent.
  *
@@ -76,7 +83,7 @@ export declare function getExistingSdlTypeNames(graphqlDir: string): Set<string>
  * and fields — no hidden/sensitive fields, no @gqlorm hide models, no
  * dependency on the generated Prisma client path or @prisma/client.
  */
-export declare function generateGqlormBackendContent(models: BackendModelInfo[]): string;
+export declare function generateGqlormBackendContent(models: BackendModelInfo[], config?: GqlormBackendConfig): string;
 /**
  * Generate gqlorm artifacts from the Prisma schema.
  *

package/dist/cjs/generate/gqlormSchema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gqlormSchema.d.ts","sourceRoot":"","sources":["../../../src/generate/gqlormSchema.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,KAAK,IAAI,MAAM,cAAc,CAAA;AA8BzC,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;AAE3C,UAAU,iBAAiB;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,iBAAiB;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,iBAAiB,EAAE,CAAA;CAC5B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,OAAO,CAAA;IACnB,IAAI,EAAE,OAAO,CAAA;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,gBAAgB,EAAE,CAAA;IAC1B,OAAO,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACtC;AAqDD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAMvE;AAoGD,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAClB,iBAAiB,EAAE,CAiDrB;AAED,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,iBAAiB,EAAE,GAC1B,MAAM,CA2CR;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,WAAW,CAkDjE;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,gBAAgB,EAAE,CA2D7E;AAkBD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CA6BvE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,gBAAgB,EAAE,GACzB,MAAM,CA0IR;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC;IACvD,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,EAAE,CAAA;CAC9C,CAAC,CAgFD"}
+{"version":3,"file":"gqlormSchema.d.ts","sourceRoot":"","sources":["../../../src/generate/gqlormSchema.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,KAAK,IAAI,MAAM,cAAc,CAAA;AA8BzC,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;AAE3C,UAAU,iBAAiB;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,iBAAiB;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,iBAAiB,EAAE,CAAA;CAC5B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,OAAO,CAAA;IACnB,IAAI,EAAE,OAAO,CAAA;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,gBAAgB,EAAE,CAAA;IAC1B,OAAO,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACtC;AAED,MAAM,WAAW,mBAAmB;IAClC,eAAe,EAAE,MAAM,CAAA;IACvB,oBAAoB,EAAE,MAAM,CAAA;IAC5B,mBAAmB,EAAE,MAAM,CAAA;IAC3B,2BAA2B,EAAE,MAAM,CAAA;IACnC,qBAAqB,EAAE,OAAO,CAAA;CAC/B;AA6DD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAMvE;AAoGD,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAClB,iBAAiB,EAAE,CAiDrB;AAED,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,iBAAiB,EAAE,GAC1B,MAAM,CA2CR;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,WAAW,CAkDjE;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,gBAAgB,EAAE,CA2D7E;AAkBD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CA6BvE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,gBAAgB,EAAE,EAC1B,MAAM,GAAE,mBAAmD,GAC1D,MAAM,CA0VR;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC;IACvD,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,EAAE,CAAA;CAC9C,CAAC,CAwHD"}

package/dist/cjs/generate/gqlormSchema.js

@@ -57,6 +57,13 @@ const SENSITIVE_PATTERNS = [
   "encryptionkey",
   "privatekey"
 ];
+const DEFAULT_GQLORM_BACKEND_CONFIG = {
+  membershipModel: "Membership",
+  membershipModelCamel: "membership",
+  membershipUserField: "userId",
+  membershipOrganizationField: "organizationId",
+  membershipModelExists: false
+};
 function hasDirective(doc, directive) {
   if (!doc) {
     return false;
@@ -341,16 +348,37 @@ function getExistingSdlTypeNames(graphqlDir) {
   }
   return typeNames;
 }
-function generateGqlormBackendContent(models) {
+function generateGqlormBackendContent(models, config = DEFAULT_GQLORM_BACKEND_CONFIG) {
   if (models.length === 0) {
     return "";
   }
+  const anyModelNeedsOrgScoping = config.membershipModelExists && models.some(
+    (m) => m.camelName !== config.membershipModelCamel && m.fields.some((f) => f.name === config.membershipOrganizationField)
+  );
+  const anyModelNeedsAuth = models.some((m) => {
+    const hasUserField = m.fields.some(
+      (f) => f.name === config.membershipUserField
+    );
+    const hasOrgField = m.fields.some(
+      (f) => f.name === config.membershipOrganizationField
+    );
+    const isMembership = m.camelName === config.membershipModelCamel;
+    return hasUserField || hasOrgField && config.membershipModelExists && !isMembership;
+  });
   const lines = [
     "// This file is auto-generated by Cedar gqlorm codegen.",
     "// Do not edit \u2014 it will be overwritten on every codegen run.",
     "// To hide a model from gqlorm, add /// @gqlorm hide in schema.prisma.",
     "",
     "import gql from 'graphql-tag'",
+    ...anyModelNeedsAuth ? [
+      "import { AuthenticationError, ForbiddenError } from '@cedarjs/graphql-server'"
+    ] : [],
+    "",
+    "// Minimal context type used in auth checks",
+    "interface GqlormContext {",
+    "  currentUser: Record<string, unknown> | null | undefined",
+    "}",
     "",
     "// Generated minimal interface \u2014 only visible models and fields, only the",
     "// operations used by this file. No @gqlorm hide models, no sensitive fields.",
@@ -362,7 +390,8 @@ function generateGqlormBackendContent(models) {
     const selectType = model.fields.map((f) => `${f.name}: true`).join("; ");
     lines.push(`  ${model.camelName}: {`);
     lines.push("    findMany(args: {");
-    lines.push(`      select: { ${selectType} }`);
+    lines.push("      where?: Record<string, unknown>");
+    lines.push(`      select: Partial<{ ${selectType} }>`);
     lines.push("    }): Promise<");
     lines.push("      Array<{");
     for (const field of model.fields) {
@@ -389,6 +418,29 @@ function generateGqlormBackendContent(models) {
       }
       lines.push("    } | null>");
     }
+    if (anyModelNeedsOrgScoping && model.camelName === config.membershipModelCamel) {
+      lines.push("    findFirst(args: {");
+      lines.push("      where: Record<string, unknown>");
+      lines.push("    }): Promise<Record<string, unknown> | null>");
+    }
+    lines.push("  }");
+  }
+  const membershipAlreadyInModels = models.some(
+    (m) => m.camelName === config.membershipModelCamel
+  );
+  if (anyModelNeedsOrgScoping && !membershipAlreadyInModels) {
+    lines.push(`  ${config.membershipModelCamel}: {`);
+    lines.push("    findMany(args: {");
+    lines.push("      where: Record<string, unknown>");
+    lines.push(`      select: { ${config.membershipOrganizationField}: true }`);
+    lines.push("    }): Promise<");
+    lines.push(
+      `      Array<{ ${config.membershipOrganizationField}: unknown }>`
+    );
+    lines.push("    >");
+    lines.push("    findFirst(args: {");
+    lines.push("      where: Record<string, unknown>");
+    lines.push("    }): Promise<Record<string, unknown> | null>");
     lines.push("  }");
   }
   lines.push("}");
@@ -405,11 +457,22 @@ function generateGqlormBackendContent(models) {
   }
   lines.push("  type Query {");
   for (const model of models) {
-    lines.push(`    ${model.pluralName}: [${model.modelName}!]! @skipAuth`);
+    const hasUserField = model.fields.some(
+      (f) => f.name === config.membershipUserField
+    );
+    const hasOrgField = model.fields.some(
+      (f) => f.name === config.membershipOrganizationField
+    );
+    const isMembershipModel = model.camelName === config.membershipModelCamel;
+    const needsAuth = hasUserField || hasOrgField && config.membershipModelExists && !isMembershipModel;
+    const authDirective = needsAuth ? "@requireAuth" : "@skipAuth";
+    lines.push(
+      `    ${model.pluralName}: [${model.modelName}!]! ${authDirective}`
+    );
     if (model.idField) {
       const idNullMark = model.idField.isRequired ? "!" : "";
       lines.push(
-        `    ${model.camelName}(${model.idField.name}: ${model.idField.graphqlType}${idNullMark}): ${model.modelName} @skipAuth`
+        `    ${model.camelName}(${model.idField.name}: ${model.idField.graphqlType}${idNullMark}): ${model.modelName} ${authDirective}`
       );
     }
   }
@@ -428,21 +491,133 @@ function generateGqlormBackendContent(models) {
   for (let i = 0; i < models.length; i++) {
     const model = models[i];
     const selectObj = model.fields.map((f) => `${f.name}: true`).join(", ");
-    lines.push(`      ${model.pluralName}: () => {`);
-    lines.push(`        return db.${model.camelName}.findMany({`);
-    lines.push(`          select: { ${selectObj} },`);
-    lines.push("        })");
+    const hasUserField = model.fields.some(
+      (f) => f.name === config.membershipUserField
+    );
+    const hasOrgField = model.fields.some(
+      (f) => f.name === config.membershipOrganizationField
+    );
+    const isMembershipModel = model.camelName === config.membershipModelCamel;
+    const useOrgScoping = hasOrgField && config.membershipModelExists && !isMembershipModel;
+    lines.push(
+      `      ${model.pluralName}: async (_root: unknown, _args: unknown, ${hasUserField || useOrgScoping ? "context" : "_context"}: GqlormContext) => {`
+    );
+    if (hasUserField || useOrgScoping) {
+      lines.push("        if (!context.currentUser) {");
+      lines.push(
+        `          throw new AuthenticationError("You don't have permission to do that.")`
+      );
+      lines.push("        }");
+      lines.push("        const currentUserId = context.currentUser['id']");
+      lines.push(
+        "        if (currentUserId === undefined || currentUserId === null) {"
+      );
+      lines.push(
+        `          throw new AuthenticationError("Could not determine the current user's ID.")`
+      );
+      lines.push("        }");
+      lines.push("        const where: Record<string, unknown> = {}");
+      if (hasUserField) {
+        lines.push("        // Scope to the current user");
+        lines.push(
+          `        where['${config.membershipUserField}'] = currentUserId`
+        );
+      }
+      if (useOrgScoping) {
+        lines.push("        // Scope to the current user's organizations");
+        lines.push(
+          `        const memberships = await db.${config.membershipModelCamel}.findMany({`
+        );
+        lines.push(
+          `          where: { ${config.membershipUserField}: currentUserId },`
+        );
+        lines.push(
+          `          select: { ${config.membershipOrganizationField}: true },`
+        );
+        lines.push("        })");
+        lines.push(
+          `        const organizationIds = memberships.map((m) => m.${config.membershipOrganizationField})`
+        );
+        lines.push(
+          `        where['${config.membershipOrganizationField}'] = { in: organizationIds }`
+        );
+      }
+      lines.push(`        return db.${model.camelName}.findMany({`);
+      lines.push("          where,");
+      lines.push(`          select: { ${selectObj} },`);
+      lines.push("        })");
+    } else {
+      lines.push(`        return db.${model.camelName}.findMany({`);
+      lines.push(`          select: { ${selectObj} },`);
+      lines.push("        })");
+    }
     lines.push("      },");
     if (model.idField) {
       const idFieldName = model.idField.name;
       const tsType = graphqlTypeToTsType(model.idField.graphqlType);
       lines.push(
-        `      ${model.camelName}: (_root: unknown, { ${idFieldName} }: { ${idFieldName}: ${tsType} }) => {`
+        `      ${model.camelName}: async (_root: unknown, { ${idFieldName} }: { ${idFieldName}: ${tsType} }, ${hasUserField || useOrgScoping ? "context" : "_context"}: GqlormContext) => {`
+      );
+      if (hasUserField || useOrgScoping) {
+        lines.push("        if (!context.currentUser) {");
+        lines.push(
+          `          throw new AuthenticationError("You don't have permission to do that.")`
+        );
+        lines.push("        }");
+        lines.push("        const currentUserId = context.currentUser['id']");
+        lines.push(
+          "        if (currentUserId === undefined || currentUserId === null) {"
+        );
+        lines.push(
+          `          throw new AuthenticationError("Could not determine the current user's ID.")`
+        );
+        lines.push("        }");
+      }
+      lines.push("");
+      lines.push(
+        `        const record = await db.${model.camelName}.findUnique({`
       );
-      lines.push(`        return db.${model.camelName}.findUnique({`);
       lines.push(`          where: { ${idFieldName} },`);
       lines.push(`          select: { ${selectObj} },`);
       lines.push("        })");
+      lines.push("");
+      lines.push("        if (!record) {");
+      lines.push("          return null");
+      lines.push("        }");
+      if (hasUserField) {
+        lines.push("");
+        lines.push("        // Verify the current user owns this record");
+        lines.push(
+          `        if (record.${config.membershipUserField} !== currentUserId) {`
+        );
+        lines.push(
+          `          throw new ForbiddenError('Not authorized to access this resource')`
+        );
+        lines.push("        }");
+      }
+      if (useOrgScoping) {
+        lines.push("");
+        lines.push(
+          "        // Verify the current user belongs to the record's organization"
+        );
+        lines.push(
+          `        const membership = await db.${config.membershipModelCamel}.findFirst({`
+        );
+        lines.push("          where: {");
+        lines.push(`            ${config.membershipUserField}: currentUserId,`);
+        lines.push(
+          `            ${config.membershipOrganizationField}: record.${config.membershipOrganizationField},`
+        );
+        lines.push("          },");
+        lines.push("        })");
+        lines.push("        if (!membership) {");
+        lines.push(
+          `          throw new ForbiddenError('Not authorized to access this resource')`
+        );
+        lines.push("        }");
+      }
+      lines.push("");
+      lines.push("        return record");
       lines.push("      },");
     }
     if (i < models.length - 1) {
@@ -489,11 +664,37 @@ async function generateGqlormArtifacts() {
       const graphqlDir = paths.api.graphql;
       const existingTypes = getExistingSdlTypeNames(graphqlDir);
       const allModels = buildBackendModelInfo(dmmf);
+      const gqlormConfig = (0, import_project_config.getConfig)().experimental.gqlorm;
+      const membershipModel = gqlormConfig.membershipModel ?? "Membership";
+      const membershipModelCamel = membershipModel.charAt(0).toLowerCase() + membershipModel.slice(1);
+      const membershipUserField = gqlormConfig.membershipUserField ?? "userId";
+      const membershipOrganizationField = gqlormConfig.membershipOrganizationField ?? "organizationId";
+      const membershipModelExists = dmmf.datamodel.models.some(
+        (m) => m.name === membershipModel
+      );
+      const backendConfig = {
+        membershipModel,
+        membershipModelCamel,
+        membershipUserField,
+        membershipOrganizationField,
+        membershipModelExists
+      };
       const gqlormModels = allModels.filter(
         (m) => !existingTypes.has(m.modelName)
       );
+      const anyModelHasOrgField = gqlormModels.some(
+        (m) => m.fields.some((f) => f.name === membershipOrganizationField)
+      );
+      if (anyModelHasOrgField && !membershipModelExists) {
+        console.warn(
+          `[gqlorm] One or more models have a \`${membershipOrganizationField}\` field, but the membership model "${membershipModel}" was not found in the schema. Organization-based access scoping will not be applied for these models. Add a \`${membershipModel}\` model to your schema.prisma or configure \`experimental.gqlorm.membershipModel\` in cedar.toml.`
+        );
+      }
       if (gqlormModels.length > 0) {
-        const backendContent = generateGqlormBackendContent(gqlormModels);
+        const backendContent = generateGqlormBackendContent(
+          gqlormModels,
+          backendConfig
+        );
         import_node_fs.default.mkdirSync(backendOutputDir, { recursive: true });
         import_node_fs.default.writeFileSync(backendOutputPath, backendContent);
         files.push(backendOutputPath);

package/dist/generate/gqlormSchema.d.ts

@@ -22,6 +22,13 @@ export interface BackendModelInfo {
     fields: BackendFieldInfo[];
     idField: BackendFieldInfo | undefined;
 }
+export interface GqlormBackendConfig {
+    membershipModel: string;
+    membershipModelCamel: string;
+    membershipUserField: string;
+    membershipOrganizationField: string;
+    membershipModelExists: boolean;
+}
 /**
  * Map a DMMF field type to its GraphQL SDL equivalent.
  *
@@ -76,7 +83,7 @@ export declare function getExistingSdlTypeNames(graphqlDir: string): Set<string>
  * and fields — no hidden/sensitive fields, no @gqlorm hide models, no
  * dependency on the generated Prisma client path or @prisma/client.
  */
-export declare function generateGqlormBackendContent(models: BackendModelInfo[]): string;
+export declare function generateGqlormBackendContent(models: BackendModelInfo[], config?: GqlormBackendConfig): string;
 /**
  * Generate gqlorm artifacts from the Prisma schema.
  *

package/dist/generate/gqlormSchema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gqlormSchema.d.ts","sourceRoot":"","sources":["../../src/generate/gqlormSchema.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,KAAK,IAAI,MAAM,cAAc,CAAA;AA8BzC,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;AAE3C,UAAU,iBAAiB;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,iBAAiB;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,iBAAiB,EAAE,CAAA;CAC5B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,OAAO,CAAA;IACnB,IAAI,EAAE,OAAO,CAAA;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,gBAAgB,EAAE,CAAA;IAC1B,OAAO,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACtC;AAqDD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAMvE;AAoGD,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAClB,iBAAiB,EAAE,CAiDrB;AAED,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,iBAAiB,EAAE,GAC1B,MAAM,CA2CR;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,WAAW,CAkDjE;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,gBAAgB,EAAE,CA2D7E;AAkBD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CA6BvE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,gBAAgB,EAAE,GACzB,MAAM,CA0IR;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC;IACvD,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,EAAE,CAAA;CAC9C,CAAC,CAgFD"}
+{"version":3,"file":"gqlormSchema.d.ts","sourceRoot":"","sources":["../../src/generate/gqlormSchema.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,KAAK,IAAI,MAAM,cAAc,CAAA;AA8BzC,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;AAE3C,UAAU,iBAAiB;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;CACf;AAED,UAAU,iBAAiB;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,iBAAiB,EAAE,CAAA;CAC5B;AAMD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,OAAO,CAAA;IACnB,IAAI,EAAE,OAAO,CAAA;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,gBAAgB,EAAE,CAAA;IAC1B,OAAO,EAAE,gBAAgB,GAAG,SAAS,CAAA;CACtC;AAED,MAAM,WAAW,mBAAmB;IAClC,eAAe,EAAE,MAAM,CAAA;IACvB,oBAAoB,EAAE,MAAM,CAAA;IAC5B,mBAAmB,EAAE,MAAM,CAAA;IAC3B,2BAA2B,EAAE,MAAM,CAAA;IACnC,qBAAqB,EAAE,OAAO,CAAA;CAC/B;AA6DD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAMvE;AAoGD,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAClB,iBAAiB,EAAE,CAiDrB;AAED,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,iBAAiB,EAAE,GAC1B,MAAM,CA2CR;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,WAAW,CAkDjE;AAMD;;;;;;;;;;;;GAYG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,GAAG,gBAAgB,EAAE,CA2D7E;AAkBD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CA6BvE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,gBAAgB,EAAE,EAC1B,MAAM,GAAE,mBAAmD,GAC1D,MAAM,CA0VR;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC;IACvD,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,EAAE,CAAA;CAC9C,CAAC,CAwHD"}

package/dist/generate/gqlormSchema.js

@@ -17,6 +17,13 @@ const SENSITIVE_PATTERNS = [
   "encryptionkey",
   "privatekey"
 ];
+const DEFAULT_GQLORM_BACKEND_CONFIG = {
+  membershipModel: "Membership",
+  membershipModelCamel: "membership",
+  membershipUserField: "userId",
+  membershipOrganizationField: "organizationId",
+  membershipModelExists: false
+};
 function hasDirective(doc, directive) {
   if (!doc) {
     return false;
@@ -301,16 +308,37 @@ function getExistingSdlTypeNames(graphqlDir) {
   }
   return typeNames;
 }
-function generateGqlormBackendContent(models) {
+function generateGqlormBackendContent(models, config = DEFAULT_GQLORM_BACKEND_CONFIG) {
   if (models.length === 0) {
     return "";
   }
+  const anyModelNeedsOrgScoping = config.membershipModelExists && models.some(
+    (m) => m.camelName !== config.membershipModelCamel && m.fields.some((f) => f.name === config.membershipOrganizationField)
+  );
+  const anyModelNeedsAuth = models.some((m) => {
+    const hasUserField = m.fields.some(
+      (f) => f.name === config.membershipUserField
+    );
+    const hasOrgField = m.fields.some(
+      (f) => f.name === config.membershipOrganizationField
+    );
+    const isMembership = m.camelName === config.membershipModelCamel;
+    return hasUserField || hasOrgField && config.membershipModelExists && !isMembership;
+  });
   const lines = [
     "// This file is auto-generated by Cedar gqlorm codegen.",
     "// Do not edit \u2014 it will be overwritten on every codegen run.",
     "// To hide a model from gqlorm, add /// @gqlorm hide in schema.prisma.",
     "",
     "import gql from 'graphql-tag'",
+    ...anyModelNeedsAuth ? [
+      "import { AuthenticationError, ForbiddenError } from '@cedarjs/graphql-server'"
+    ] : [],
+    "",
+    "// Minimal context type used in auth checks",
+    "interface GqlormContext {",
+    "  currentUser: Record<string, unknown> | null | undefined",
+    "}",
     "",
     "// Generated minimal interface \u2014 only visible models and fields, only the",
     "// operations used by this file. No @gqlorm hide models, no sensitive fields.",
@@ -322,7 +350,8 @@ function generateGqlormBackendContent(models) {
     const selectType = model.fields.map((f) => `${f.name}: true`).join("; ");
     lines.push(`  ${model.camelName}: {`);
     lines.push("    findMany(args: {");
-    lines.push(`      select: { ${selectType} }`);
+    lines.push("      where?: Record<string, unknown>");
+    lines.push(`      select: Partial<{ ${selectType} }>`);
     lines.push("    }): Promise<");
     lines.push("      Array<{");
     for (const field of model.fields) {
@@ -349,6 +378,29 @@ function generateGqlormBackendContent(models) {
       }
       lines.push("    } | null>");
     }
+    if (anyModelNeedsOrgScoping && model.camelName === config.membershipModelCamel) {
+      lines.push("    findFirst(args: {");
+      lines.push("      where: Record<string, unknown>");
+      lines.push("    }): Promise<Record<string, unknown> | null>");
+    }
+    lines.push("  }");
+  }
+  const membershipAlreadyInModels = models.some(
+    (m) => m.camelName === config.membershipModelCamel
+  );
+  if (anyModelNeedsOrgScoping && !membershipAlreadyInModels) {
+    lines.push(`  ${config.membershipModelCamel}: {`);
+    lines.push("    findMany(args: {");
+    lines.push("      where: Record<string, unknown>");
+    lines.push(`      select: { ${config.membershipOrganizationField}: true }`);
+    lines.push("    }): Promise<");
+    lines.push(
+      `      Array<{ ${config.membershipOrganizationField}: unknown }>`
+    );
+    lines.push("    >");
+    lines.push("    findFirst(args: {");
+    lines.push("      where: Record<string, unknown>");
+    lines.push("    }): Promise<Record<string, unknown> | null>");
     lines.push("  }");
   }
   lines.push("}");
@@ -365,11 +417,22 @@ function generateGqlormBackendContent(models) {
   }
   lines.push("  type Query {");
   for (const model of models) {
-    lines.push(`    ${model.pluralName}: [${model.modelName}!]! @skipAuth`);
+    const hasUserField = model.fields.some(
+      (f) => f.name === config.membershipUserField
+    );
+    const hasOrgField = model.fields.some(
+      (f) => f.name === config.membershipOrganizationField
+    );
+    const isMembershipModel = model.camelName === config.membershipModelCamel;
+    const needsAuth = hasUserField || hasOrgField && config.membershipModelExists && !isMembershipModel;
+    const authDirective = needsAuth ? "@requireAuth" : "@skipAuth";
+    lines.push(
+      `    ${model.pluralName}: [${model.modelName}!]! ${authDirective}`
+    );
     if (model.idField) {
       const idNullMark = model.idField.isRequired ? "!" : "";
       lines.push(
-        `    ${model.camelName}(${model.idField.name}: ${model.idField.graphqlType}${idNullMark}): ${model.modelName} @skipAuth`
+        `    ${model.camelName}(${model.idField.name}: ${model.idField.graphqlType}${idNullMark}): ${model.modelName} ${authDirective}`
       );
     }
   }
@@ -388,21 +451,133 @@ function generateGqlormBackendContent(models) {
   for (let i = 0; i < models.length; i++) {
     const model = models[i];
     const selectObj = model.fields.map((f) => `${f.name}: true`).join(", ");
-    lines.push(`      ${model.pluralName}: () => {`);
-    lines.push(`        return db.${model.camelName}.findMany({`);
-    lines.push(`          select: { ${selectObj} },`);
-    lines.push("        })");
+    const hasUserField = model.fields.some(
+      (f) => f.name === config.membershipUserField
+    );
+    const hasOrgField = model.fields.some(
+      (f) => f.name === config.membershipOrganizationField
+    );
+    const isMembershipModel = model.camelName === config.membershipModelCamel;
+    const useOrgScoping = hasOrgField && config.membershipModelExists && !isMembershipModel;
+    lines.push(
+      `      ${model.pluralName}: async (_root: unknown, _args: unknown, ${hasUserField || useOrgScoping ? "context" : "_context"}: GqlormContext) => {`
+    );
+    if (hasUserField || useOrgScoping) {
+      lines.push("        if (!context.currentUser) {");
+      lines.push(
+        `          throw new AuthenticationError("You don't have permission to do that.")`
+      );
+      lines.push("        }");
+      lines.push("        const currentUserId = context.currentUser['id']");
+      lines.push(
+        "        if (currentUserId === undefined || currentUserId === null) {"
+      );
+      lines.push(
+        `          throw new AuthenticationError("Could not determine the current user's ID.")`
+      );
+      lines.push("        }");
+      lines.push("        const where: Record<string, unknown> = {}");
+      if (hasUserField) {
+        lines.push("        // Scope to the current user");
+        lines.push(
+          `        where['${config.membershipUserField}'] = currentUserId`
+        );
+      }
+      if (useOrgScoping) {
+        lines.push("        // Scope to the current user's organizations");
+        lines.push(
+          `        const memberships = await db.${config.membershipModelCamel}.findMany({`
+        );
+        lines.push(
+          `          where: { ${config.membershipUserField}: currentUserId },`
+        );
+        lines.push(
+          `          select: { ${config.membershipOrganizationField}: true },`
+        );
+        lines.push("        })");
+        lines.push(
+          `        const organizationIds = memberships.map((m) => m.${config.membershipOrganizationField})`
+        );
+        lines.push(
+          `        where['${config.membershipOrganizationField}'] = { in: organizationIds }`
+        );
+      }
+      lines.push(`        return db.${model.camelName}.findMany({`);
+      lines.push("          where,");
+      lines.push(`          select: { ${selectObj} },`);
+      lines.push("        })");
+    } else {
+      lines.push(`        return db.${model.camelName}.findMany({`);
+      lines.push(`          select: { ${selectObj} },`);
+      lines.push("        })");
+    }
     lines.push("      },");
     if (model.idField) {
       const idFieldName = model.idField.name;
       const tsType = graphqlTypeToTsType(model.idField.graphqlType);
       lines.push(
-        `      ${model.camelName}: (_root: unknown, { ${idFieldName} }: { ${idFieldName}: ${tsType} }) => {`
+        `      ${model.camelName}: async (_root: unknown, { ${idFieldName} }: { ${idFieldName}: ${tsType} }, ${hasUserField || useOrgScoping ? "context" : "_context"}: GqlormContext) => {`
+      );
+      if (hasUserField || useOrgScoping) {
+        lines.push("        if (!context.currentUser) {");
+        lines.push(
+          `          throw new AuthenticationError("You don't have permission to do that.")`
+        );
+        lines.push("        }");
+        lines.push("        const currentUserId = context.currentUser['id']");
+        lines.push(
+          "        if (currentUserId === undefined || currentUserId === null) {"
+        );
+        lines.push(
+          `          throw new AuthenticationError("Could not determine the current user's ID.")`
+        );
+        lines.push("        }");
+      }
+      lines.push("");
+      lines.push(
+        `        const record = await db.${model.camelName}.findUnique({`
       );
-      lines.push(`        return db.${model.camelName}.findUnique({`);
       lines.push(`          where: { ${idFieldName} },`);
       lines.push(`          select: { ${selectObj} },`);
       lines.push("        })");
+      lines.push("");
+      lines.push("        if (!record) {");
+      lines.push("          return null");
+      lines.push("        }");
+      if (hasUserField) {
+        lines.push("");
+        lines.push("        // Verify the current user owns this record");
+        lines.push(
+          `        if (record.${config.membershipUserField} !== currentUserId) {`
+        );
+        lines.push(
+          `          throw new ForbiddenError('Not authorized to access this resource')`
+        );
+        lines.push("        }");
+      }
+      if (useOrgScoping) {
+        lines.push("");
+        lines.push(
+          "        // Verify the current user belongs to the record's organization"
+        );
+        lines.push(
+          `        const membership = await db.${config.membershipModelCamel}.findFirst({`
+        );
+        lines.push("          where: {");
+        lines.push(`            ${config.membershipUserField}: currentUserId,`);
+        lines.push(
+          `            ${config.membershipOrganizationField}: record.${config.membershipOrganizationField},`
+        );
+        lines.push("          },");
+        lines.push("        })");
+        lines.push("        if (!membership) {");
+        lines.push(
+          `          throw new ForbiddenError('Not authorized to access this resource')`
+        );
+        lines.push("        }");
+      }
+      lines.push("");
+      lines.push("        return record");
       lines.push("      },");
     }
     if (i < models.length - 1) {
@@ -449,11 +624,37 @@ async function generateGqlormArtifacts() {
       const graphqlDir = paths.api.graphql;
       const existingTypes = getExistingSdlTypeNames(graphqlDir);
       const allModels = buildBackendModelInfo(dmmf);
+      const gqlormConfig = getConfig().experimental.gqlorm;
+      const membershipModel = gqlormConfig.membershipModel ?? "Membership";
+      const membershipModelCamel = membershipModel.charAt(0).toLowerCase() + membershipModel.slice(1);
+      const membershipUserField = gqlormConfig.membershipUserField ?? "userId";
+      const membershipOrganizationField = gqlormConfig.membershipOrganizationField ?? "organizationId";
+      const membershipModelExists = dmmf.datamodel.models.some(
+        (m) => m.name === membershipModel
+      );
+      const backendConfig = {
+        membershipModel,
+        membershipModelCamel,
+        membershipUserField,
+        membershipOrganizationField,
+        membershipModelExists
+      };
       const gqlormModels = allModels.filter(
         (m) => !existingTypes.has(m.modelName)
       );
+      const anyModelHasOrgField = gqlormModels.some(
+        (m) => m.fields.some((f) => f.name === membershipOrganizationField)
+      );
+      if (anyModelHasOrgField && !membershipModelExists) {
+        console.warn(
+          `[gqlorm] One or more models have a \`${membershipOrganizationField}\` field, but the membership model "${membershipModel}" was not found in the schema. Organization-based access scoping will not be applied for these models. Add a \`${membershipModel}\` model to your schema.prisma or configure \`experimental.gqlorm.membershipModel\` in cedar.toml.`
+        );
+      }
       if (gqlormModels.length > 0) {
-        const backendContent = generateGqlormBackendContent(gqlormModels);
+        const backendContent = generateGqlormBackendContent(
+          gqlormModels,
+          backendConfig
+        );
         fs.mkdirSync(backendOutputDir, { recursive: true });
         fs.writeFileSync(backendOutputPath, backendContent);
         files.push(backendOutputPath);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cedarjs/internal",
-  "version": "4.0.0-canary.13813+9c6f670ae9",
+  "version": "4.0.0-canary.13814+3150cd24f2",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/cedarjs/cedar.git",
@@ -159,13 +159,13 @@
     "@babel/plugin-transform-react-jsx": "7.28.6",
     "@babel/plugin-transform-typescript": "^7.26.8",
     "@babel/traverse": "7.29.0",
-    "@cedarjs/babel-config": "4.0.0-canary.13813",
-    "@cedarjs/cli-helpers": "4.0.0-canary.13813",
-    "@cedarjs/graphql-server": "4.0.0-canary.13813",
-    "@cedarjs/project-config": "4.0.0-canary.13813",
-    "@cedarjs/router": "4.0.0-canary.13813",
-    "@cedarjs/structure": "4.0.0-canary.13813",
-    "@cedarjs/utils": "4.0.0-canary.13813",
+    "@cedarjs/babel-config": "4.0.0-canary.13814",
+    "@cedarjs/cli-helpers": "4.0.0-canary.13814",
+    "@cedarjs/graphql-server": "4.0.0-canary.13814",
+    "@cedarjs/project-config": "4.0.0-canary.13814",
+    "@cedarjs/router": "4.0.0-canary.13814",
+    "@cedarjs/structure": "4.0.0-canary.13814",
+    "@cedarjs/utils": "4.0.0-canary.13814",
     "@graphql-codegen/add": "6.0.0",
     "@graphql-codegen/cli": "6.2.1",
     "@graphql-codegen/client-preset": "5.2.4",
@@ -198,7 +198,7 @@
   },
   "devDependencies": {
     "@arethetypeswrong/cli": "0.18.2",
-    "@cedarjs/framework-tools": "4.0.0-canary.13813",
+    "@cedarjs/framework-tools": "4.0.0-canary.13814",
     "concurrently": "9.2.1",
     "graphql-tag": "2.12.6",
     "publint": "0.3.18",
@@ -211,5 +211,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "9c6f670ae9b1c903854fc4ba8a27592f27b634d2"
+  "gitHead": "3150cd24f242d15164dfafe0e64928bf5e3e1aca"
 }