We agree, with any GraphQL API you need to make sure it is hardened for production.

We are looking to add more on documentation on this soon and maybe a tutorial series on exactly this.

We have some docs on that here:

https://graphweaver.com/docs/implementing-authorization

The auth is at the access control is at the API layer.

This is true but like with any build there are many decisions to make. We have settled on this stack for our API's and we think others will find it useful.

Cool! How does security and multi-tenancy work in graph weaver? These were a really excruciating afterthought in Postgraphile…

Here are some links around security:

https://graphweaver.com/docs/adding-local-authentication

https://graphweaver.com/docs/implementing-authorization

https://graphweaver.com/docs/column-level-security

We have deployed Graphweaver using serverless and lambda be interesting to see how we could convert it to multi-tenant.

Could you expand on how security is an afterthought in Postgraphile? My experience of using RLS and the graphile pro plugin was nice and secure imo. Curious if I missed something here

So I have a list of my own stuff but I want for other people who are in my circle to be able to see outfits I've shared with them. If all the lists of stuff are created in an automated way doing things like this is somewhat harder than the default crud stuff and managing passing tokens and doing the filtering is fine but feels like a use case that should be as automatic as possible. I haven't used the Pro plugin, I'm not sure if we knew about it or what it does.