chore(release): router crates and artifacts

knope-bot[bot] · web-flow · commit 972a3417011f · 2025-11-21T16:12:25.000Z
diff --git a/.changeset/authz-directives.md b/.changeset/authz-directives.md
diff --git a/.changeset/shared_utilities_to_handle_vrl_expressions.md b/.changeset/shared_utilities_to_handle_vrl_expressions.md
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/bin/router/CHANGELOG.md b/bin/router/CHANGELOG.md
@@ -116,6 +116,67 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Other
 
 - *(deps)* update release-plz/action action to v0.5.113 ([#389](https://github.com/graphql-hive/router/pull/389))
+## 0.0.20 (2025-11-21)
+
+### Features
+
+- support authenticated and requiresScopes directives (#538)
+
+#### Directive-Based Authorization
+
+Introducing directive-based authorization. This allows you to enforce fine-grained access control directly from your subgraph schemas using the `@authenticated` and `@requiresScopes` directives.
+
+This new authorization layer runs before the query planner, ensuring that unauthorized requests are handled efficiently without reaching your subgraphs.
+
+#### Configuration
+
+You can configure how the router handles unauthorized requests with two modes:
+
+- **`filter`** (default): Silently removes any fields the user is not authorized to see from the query. The response will contain `null` for the removed fields and an error in the `errors` array.
+- **`reject`**: Rejects the entire GraphQL operation if it requests any field the user is not authorized to access.
+
+To configure this, add the following to your `router.yaml` configuration file:
+
+```yaml
+authentication:
+  directives:
+    unauthorized:
+      # "filter" (default): Removes unauthorized fields from the query and returns errors.
+      # "reject": Rejects the entire request if any unauthorized field is requested.
+      mode: reject
+```
+
+If this section is omitted, the router will use `filter` mode by default.
+
+#### JWT Scope Requirements
+
+When using the `@requiresScopes` directive, the router expects the user's granted scopes to be present in the JWT payload. The scopes should be in an array of strings or a string (scopes separated by space), within a claim named `scope`.
+
+Here is an example of a JWT payload with the correct format:
+
+```json
+{
+  "sub": "user-123",
+  "scope": [
+    "read:products",
+    "write:reviews"
+  ],
+  "iat": 1516239022
+}
+```
+
+#### Breaking
+
+Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use `pool_idle_timeout` with duration format.
+
+```diff
+traffic_shaping:
+-  pool_idle_timeout_seconds: 30
++  pool_idle_timeout: 30s
+```
+
+##540 by @ardatan
+
 ## 0.0.19 (2025-11-19)
 
 ### Features
diff --git a/bin/router/Cargo.toml b/bin/router/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "hive-router"
-version = "0.0.19"
+version = "0.0.20"
 edition = "2021"
 description = "GraphQL router/gateway for Federation"
 license = "MIT"
@@ -16,9 +16,9 @@ name = "hive_router"
 path = "src/main.rs"
 
 [dependencies]
-hive-router-query-planner = { path = "../../lib/query-planner", version = "2.0.2" }
-hive-router-plan-executor = { path = "../../lib/executor", version = "6.0.1" }
-hive-router-config = { path = "../../lib/router-config", version = "0.0.11" }
+hive-router-query-planner = { path = "../../lib/query-planner", version = "2.1.0" }
+hive-router-plan-executor = { path = "../../lib/executor", version = "6.1.0" }
+hive-router-config = { path = "../../lib/router-config", version = "0.0.12" }
 
 tokio = { workspace = true }
 futures = { workspace = true }
diff --git a/lib/executor/CHANGELOG.md b/lib/executor/CHANGELOG.md
@@ -94,6 +94,65 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Other
 
 - *(deps)* update release-plz/action action to v0.5.113 ([#389](https://github.com/graphql-hive/router/pull/389))
+## 6.1.0 (2025-11-21)
+
+### Features
+
+#### Directive-Based Authorization
+
+Introducing directive-based authorization. This allows you to enforce fine-grained access control directly from your subgraph schemas using the `@authenticated` and `@requiresScopes` directives.
+
+This new authorization layer runs before the query planner, ensuring that unauthorized requests are handled efficiently without reaching your subgraphs.
+
+#### Configuration
+
+You can configure how the router handles unauthorized requests with two modes:
+
+- **`filter`** (default): Silently removes any fields the user is not authorized to see from the query. The response will contain `null` for the removed fields and an error in the `errors` array.
+- **`reject`**: Rejects the entire GraphQL operation if it requests any field the user is not authorized to access.
+
+To configure this, add the following to your `router.yaml` configuration file:
+
+```yaml
+authentication:
+  directives:
+    unauthorized:
+      # "filter" (default): Removes unauthorized fields from the query and returns errors.
+      # "reject": Rejects the entire request if any unauthorized field is requested.
+      mode: reject
+```
+
+If this section is omitted, the router will use `filter` mode by default.
+
+#### JWT Scope Requirements
+
+When using the `@requiresScopes` directive, the router expects the user's granted scopes to be present in the JWT payload. The scopes should be in an array of strings or a string (scopes separated by space), within a claim named `scope`.
+
+Here is an example of a JWT payload with the correct format:
+
+```json
+{
+  "sub": "user-123",
+  "scope": [
+    "read:products",
+    "write:reviews"
+  ],
+  "iat": 1516239022
+}
+```
+
+#### Breaking
+
+Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use `pool_idle_timeout` with duration format.
+
+```diff
+traffic_shaping:
+-  pool_idle_timeout_seconds: 30
++  pool_idle_timeout: 30s
+```
+
+##540 by @ardatan
+
 ## 6.0.1 (2025-11-04)
 
 ### Fixes
diff --git a/lib/executor/Cargo.toml b/lib/executor/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "hive-router-plan-executor"
-version = "6.0.1"
+version = "6.1.0"
 edition = "2021"
 description = "GraphQL query planner executor for Federation specification"
 license = "MIT"
@@ -12,8 +12,8 @@ authors = ["The Guild"]
 [lib]
 
 [dependencies]
-hive-router-query-planner = { path = "../query-planner", version = "2.0.2" }
-hive-router-config = { path = "../router-config", version = "0.0.11" }
+hive-router-query-planner = { path = "../query-planner", version = "2.1.0" }
+hive-router-config = { path = "../router-config", version = "0.0.12" }
 
 graphql-parser = { workspace = true }
 graphql-tools = { workspace = true }
diff --git a/lib/query-planner/CHANGELOG.md b/lib/query-planner/CHANGELOG.md
@@ -30,3 +30,49 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Other
 
 - *(deps)* update release-plz/action action to v0.5.113 ([#389](https://github.com/graphql-hive/router/pull/389))
+## 2.1.0 (2025-11-21)
+
+### Features
+
+#### Directive-Based Authorization
+
+Introducing directive-based authorization. This allows you to enforce fine-grained access control directly from your subgraph schemas using the `@authenticated` and `@requiresScopes` directives.
+
+This new authorization layer runs before the query planner, ensuring that unauthorized requests are handled efficiently without reaching your subgraphs.
+
+#### Configuration
+
+You can configure how the router handles unauthorized requests with two modes:
+
+- **`filter`** (default): Silently removes any fields the user is not authorized to see from the query. The response will contain `null` for the removed fields and an error in the `errors` array.
+- **`reject`**: Rejects the entire GraphQL operation if it requests any field the user is not authorized to access.
+
+To configure this, add the following to your `router.yaml` configuration file:
+
+```yaml
+authentication:
+  directives:
+    unauthorized:
+      # "filter" (default): Removes unauthorized fields from the query and returns errors.
+      # "reject": Rejects the entire request if any unauthorized field is requested.
+      mode: reject
+```
+
+If this section is omitted, the router will use `filter` mode by default.
+
+#### JWT Scope Requirements
+
+When using the `@requiresScopes` directive, the router expects the user's granted scopes to be present in the JWT payload. The scopes should be in an array of strings or a string (scopes separated by space), within a claim named `scope`.
+
+Here is an example of a JWT payload with the correct format:
+
+```json
+{
+  "sub": "user-123",
+  "scope": [
+    "read:products",
+    "write:reviews"
+  ],
+  "iat": 1516239022
+}
+```
diff --git a/lib/query-planner/Cargo.toml b/lib/query-planner/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "hive-router-query-planner"
-version = "2.0.2"
+version = "2.1.0"
 edition = "2021"
 description = "GraphQL query planner for Federation specification"
 license = "MIT"
diff --git a/lib/router-config/CHANGELOG.md b/lib/router-config/CHANGELOG.md
@@ -66,6 +66,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - *(hive-router)* fix docker image issues  ([#394](https://github.com/graphql-hive/router/pull/394))
+## 0.0.12 (2025-11-21)
+
+### Features
+
+#### Breaking
+
+Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use `pool_idle_timeout` with duration format.
+
+```diff
+traffic_shaping:
+-  pool_idle_timeout_seconds: 30
++  pool_idle_timeout: 30s
+```
+
+##540 by @ardatan
+
 ## 0.0.11 (2025-11-04)
 
 ### Fixes
diff --git a/lib/router-config/Cargo.toml b/lib/router-config/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "hive-router-config"
-version = "0.0.11"
+version = "0.0.12"
 edition = "2021"
 publish = true
 license = "MIT"
