[Feat.] Support for granular permissions levels management for gateway users/accounts #169
Description
Context
Currently, all restricted queries/mutations require a gateway's root user access, by specifying operator secret in the request.
The root user is created during the database migration step based on the OPERATOR_SECRET environment variables provided by the gateway administrator.
However, there is a use case for more granular permissions management, as we may want different users to have different levels of access to some or all of the restricted actions. For example, Gateways user A may only be allowed to use the setFeaturedNfts mutation and user B only may only be allowed to use the excludeChannel mutation, while neither user A nor B should be allowed to use setKillSwitch mutation (Should only be usable by Gateway Operator).
Proposal
We can add a permissions field to the User entity, which can only be managed by the Operator, everything else should remain the same, i.e. these permissioned Gateway users will use the same authentication scheme as Normal gateway users or anonymous users
After successful authentication, the Graphql middleware will ensure whether the user is authorized to perform a specific action based on his permissions.
type User @entity {
"Unique identifier (32-byte string, securely random)"
id: ID!
// Add new field
"user permissions"
permissions: Permissions
}Also, add the following OperatorOnly mutations to manage the permission levels of different users
- Create a user with privileges/permission mutation
- Add permissions to any existing gateway user
- Revoke or Change certain user permissions