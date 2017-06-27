Authentication, Authorization & Error Handling with GraphQL
Nikolas Burk 👋 Developer at Graphcool $ whoami @nikolasburk
1. GraphQL Introduction 2. Authentication, Authorization & Error Handling in GraphQL 3. Demo & Practical Examples Agenda @...
GraphQL Introduction @nikolasburk
What’s GraphQL? • new API standard • developed & open-sourced by Facebook • declarative way of fetching & updating data @n...
Schema … deﬁnes the data model @nikolasburk type Link { url: String! description: String postedBy: User! } type User { nam...
Queries … only read data Link(id: “1”) { url postedBy { name } } { “data”: { “Link”: { “url”: “https://graph.cool”, “poste...
Queries … only read data @nikolasburk Link(id: “1”) { url postedBy { name } } { “data”: { “Link”: { “url”: “https://graph....
Mutations … write and read data mutation { createLink(url: “https://graph.cool”) { id } } { “data”: { “createLink”: { “id”...
Mutations … write and read data mutation { createLink(url: “https://graph.cool”) { id } } { “data”: { “createLink”: { “id”...
How does it work?
Authentication, Authorization & Error Handling in GraphQL @nikolasburk
Authentication vs Authorization @nikolasburk • Authentication: Verifying a user’s identity • Authorization: Specifying dat...
Error Handling with REST @nikolasburk • permissions are handled in API / business logic layer or middleware • no standardi...
Challenges with GraphQL @nikolasburk • ﬁne-grained data access • transport-layer agnostic - no status codes • multiple que...
Error Handling with GraphQL @nikolasburk …described in oﬃcial GraphQL speciﬁcation
Returning errors @nikolasburk { "data": null, "errors": [ ... ] }
Anatomy of an error @nikolasburk • message: information for the developer • locations?: where in query or mutation (line+c...
Example: Required ﬁeld not provided @nikolasburk mutation { createLink(url: “https://graph.cool”) { id } }
mutation { createLink() { id } } Example: Required ﬁeld not provided @nikolasburk required url argument is missing ❌
{ "data": null, "errors": [ { "message": "Field 'createLink' argument 'url' of type 'String!' is required but not provided...
@nikolasburk Link(id: “1”) { id description } Example: Not authorized for speciﬁc ﬁeld (1/2)
@nikolasburk Link(id: “1”) { id description # not authorized } Example: Not authorized for speciﬁc ﬁeld (1/2)
@nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column":...
@nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column":...
@nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column":...
…but @nikolasburk … this only works for non-required ﬁelds like description. type Link { url: String! description: String ...
@nikolasburk Link(id: “1”) { id url } Example: Not authorized for speciﬁc ﬁeld (2/2)
@nikolasburk Link(id: “1”) { id url # not authorized } Example: Not authorized for speciﬁc ﬁeld (2/2)
@nikolasburk Example: Not authorized for speciﬁc ﬁeld (2/2) { "data": { "Link": null }, "errors": [ { "locations": [ { "li...
…so @nikolasburk … with required ﬁelds the error bubbles up.
Authorization with GraphQL: Permission Queries @nikolasburk • new and powerful approach to access control • based on famil...
Permissions with Graphcool @nikolasburk
Demo & Practical Examples @nikolasburk
Example Schema @nikolasburk type Link { url: String! description: String comments: [Comment!]! @relation(name: "CommentsOn...
4 Requirements @nikolasburk READ: Only authenticated user can read links CREATE: Only a user who wrote at least one commen...
READ: Only authenticated user can read links @nikolasburk
CREATE: Only a user who wrote at least one comment that contains “GraphQL” can create new links @nikolasburk query ($user_...
UPDATE: Only a user who created a link can update it @nikolasburk query ($node_id: ID!, $user_id: ID!) { SomeLinkExists( f...
DELETE: Only a user who created a link can delete it OR the user is an admin @nikolasburk query ($node_id: ID!, $user_id: ...
Resources 📚 @nikolasburk • Reinventing Authorization: GraphQL Permission Queries (Article) https://www.graph.cool/blog/201...
Community 🙌 • slack.graph.cool (> 2500 members) • GraphQL Weekly Newsletter • GraphQL Radio Podcast @nikolasburk
We’re hiring! www.graph.cool/jobs @nikolasburk
Thank you! 🙇 … any questions? @nikolasburk
×