Add authentication policy decorator to object type itself

[kelleyvanevert]

Hey!

First of all: I'm loving this library, great appreciation, keep up the work! :)

The "issue" I'm running into is that in order to specify the required authorization for accessing data, I can only rely on field and field resolver decorators. (I wrote little helper decorators @Authorized(<DSL>) and @Authenticated and stick those onto most of my objects' fields and field resolvers.)

However, for some entities / object types, it's way more natural to think about policies accessing them in the first place. For instance, I'd like to express the fact that the entire PhoneNumber object type can only ever be accessed if the user currently logged in is the user specified in the ownerId attribute of the underlying object, or an admin. Instead, I can only guarantee this in one of two ways (both of which I use):

• Stick this logic onto each and every field / field resolver for the object type
• Make sure that the request never reaches this object type through other fields / field resolvers unless the auth criteria is met

The former is tedious. The latter will stay required, but makes reasoning about the PhoneNumber's auth policy harder, because it's non-local, or "emergent" or something :P

What I'd love to do is just stick this auth policy into a decorator around / in the PhoneNumber object type, like so:

@ObjectType()
@Authorization(<DSL>)
class PhoneNumber {
  ...
}

Because of the way GraphQL works, this doesn't in itself make any sense, I recognise that it could only really be a shortcut for applying the same logic to each and every field / field resolver of the object type. But it would be way less tedious and more readable.

I can't seem to make this work easily, does anybody have an idea on how to approach this?