You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Authorize annotation now matches user ID and user name claims
Previously the authorize annotation only checked DefaultRoleClaimType.
Now it also checks DefaultUserIdClaimType and DefaultNameClaimType,
consistent with sse_scope authorize behavior. The SSE matching scope
was also aligned to check all three claim types.
This allows callers to handle the upstream response appropriately (`.json()`, `.blob()`, `.text()`, etc.), just like `proxy_out` endpoints.
28
28
29
+
### `authorize` Annotation Now Matches User ID and User Name Claims
30
+
31
+
The `authorize` comment annotation previously only matched against role claims (`DefaultRoleClaimType`). It now also matches against user ID (`DefaultUserIdClaimType`) and user name (`DefaultNameClaimType`) claims, aligning with the behavior that `sse_scope authorize` already had.
32
+
33
+
This means you can now restrict endpoint access to specific users, not just roles:
34
+
35
+
```sql
36
+
-- Authorize by role (existing behavior)
37
+
comment on function get_reports() is 'authorize admin';
38
+
39
+
-- Authorize by user name (new)
40
+
comment on function get_my_profile() is 'authorize john';
41
+
42
+
-- Authorize by user ID (new)
43
+
comment on function get_account() is 'authorize user123';
44
+
45
+
-- Mix of roles and user identifiers (new)
46
+
comment on function get_data() is 'authorize admin, user123, jane';
47
+
```
48
+
49
+
The SSE `matching` scope was also aligned to check all three claim types, making authorization behavior consistent across all features.
50
+
29
51
---
30
52
31
53
## Version [3.11.0](https://github.com/NpgsqlRest/NpgsqlRest/tree/3.11.0) (2026-03-10)
0 commit comments