Authorizer: Pass operation type in addition to context

[mwoelk]

Is your feature request related to a problem? Please describe.
Right now a custom Authorizer can be defined by e.g. implementing Authorizer and passing the new class via a decorator.
In the implementation of the authorize function we are only passed the graphql context.
The authorization applies the same to all operations (query/updateOne/updateMany/etc...).
Often we might have different authorization requirements for read/write operations.

E.g. a user might be allowed to read all other users but should only be allowed to update/delete his own user.

Have you read the Contributing Guidelines?

yes

Describe the solution you'd like

Authorizer Implementation

The authorizer should also receive information on the type of the method that should be authorized and in the best case some additional data that was passed by the user to also allow for fine grained authorization.

Example that would allow to update the isArchived field only on ToDos that are owned by the user:

async authorize(context: GraphqlContext, method: string, data: any) {
    if(method.startsWith('update') && data.update.isArchived) {
       return { ownerId: { eq: context.req.user.id } };
    }
    return {};
}

AuthorizerFilter

The @AuthorizerFilter() could be adapted to pass the name of the decorated function by default to the method argument of the authorize function (this could e.g. be overriden by a decorator argument). In a similar fashion, the @Args of the decorated method should be passed to the data.

Authorize decorator

With such an addition, the @Authorize decorator could also be used to authorize the create* methods by checking the input data and throwing an exception if the creation should be forbidden.

This approach would also keep backwards-compatibility because a user doesn't need to use the method/data arguments in his custom Authorizer.