Allowing at will joins is dangerous. It seems you are trying to replicate the functionality of PostgREST

Yeah, it's a proof of concept without any real security added. I do believe security is implementable. How would you use PostgRest to implement authorization in an existing system? It seems to me that we could benefit from a drop-in solution.

Authorization is explained in the docs (done by PostgreSQL). All the bits together here https://github.com/subzerocloud/postgrest-starter-kit