Auth, Authz & Error Handling in GraphQL
•
4 likes•1,163 views
Authentication, Authorization & Error Handling with GraphQL
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Auth, Authz & Error Handling in GraphQL
Similar to Auth, Authz & Error Handling in GraphQL (20)
More from Nikolas Burk
More from Nikolas Burk (8)
Recently uploaded
Recently uploaded (20)
Auth, Authz & Error Handling in GraphQL
- 1. Authentication, Authorization & Error Handling with GraphQL
- 2. Nikolas Burk 👋 Developer at Graphcool $ whoami @nikolasburk
- 3. 1. GraphQL Introduction 2. Authentication, Authorization & Error Handling in GraphQL 3. Demo & Practical Examples Agenda @nikolasburk
- 5. What’s GraphQL? • new API standard • developed & open-sourced by Facebook • declarative way of fetching & updating data @nikolasburk
- 6. Schema … defines the data model @nikolasburk type Link { url: String! description: String postedBy: User! } type User { name: String! isAdmin: Boolean! links: [Link!]! }
- 7. Queries … only read data Link(id: “1”) { url postedBy { name } } { “data”: { “Link”: { “url”: “https://graph.cool”, “postedBy”: { “name”: “Sarah” } } } } @nikolasburk
- 8. Queries … only read data @nikolasburk Link(id: “1”) { url postedBy { name } } { “data”: { “Link”: { “url”: “https://graph.cool”, “postedBy”: { “name”: “Sarah” } } } }
- 9. Mutations … write and read data mutation { createLink(url: “https://graph.cool”) { id } } { “data”: { “createLink”: { “id”: “3”, } } } @nikolasburk
- 10. Mutations … write and read data mutation { createLink(url: “https://graph.cool”) { id } } { “data”: { “createLink”: { “id”: “3”, } } } @nikolasburk
- 11. How does it work?
- 12. Authentication, Authorization & Error Handling in GraphQL @nikolasburk
- 13. Authentication vs Authorization @nikolasburk • Authentication: Verifying a user’s identity • Authorization: Specifying data access permissions
- 14. Error Handling with REST @nikolasburk • permissions are handled in API / business logic layer or middleware • no standardized approach • HTTP status codes • permissions expressed in terms of actions
- 15. Challenges with GraphQL @nikolasburk • fine-grained data access • transport-layer agnostic - no status codes • multiple queries in single request are possible
- 16. Error Handling with GraphQL @nikolasburk …described in official GraphQL specification
- 17. Returning errors @nikolasburk { "data": null, "errors": [ ... ] }
- 18. Anatomy of an error @nikolasburk • message: information for the developer • locations?: where in query or mutation (line+column) • path?: which field in the query caused the issue • custom information
- 19. Example: Required field not provided @nikolasburk mutation { createLink(url: “https://graph.cool”) { id } }
- 20. mutation { createLink() { id } } Example: Required field not provided @nikolasburk required url argument is missing ❌
- 21. { "data": null, "errors": [ { "message": "Field 'createLink' argument 'url' of type 'String!' is required but not provided.", "locations": [ { "line": 2, "column": 3 } ], "path": [ "createLink" ] } ] } Example: Required field not provided @nikolasburk required url argument is missing ❌
- 22. @nikolasburk Link(id: “1”) { id description } Example: Not authorized for specific field (1/2)
- 23. @nikolasburk Link(id: “1”) { id description # not authorized } Example: Not authorized for specific field (1/2)
- 24. @nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "description" ], "message": "Insufficient Permissions", } ] } Example: Not authorized for specific field (1/2)
- 25. @nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "description" ], "message": "Insufficient Permissions", } ] } Example: Not authorized for specific field (1/2)
- 26. @nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "description" ], "message": "Insufficient Permissions", } ] } Example: Not authorized for specific field (1/2)
- 27. …but @nikolasburk … this only works for non-required fields like description. type Link { url: String! description: String postedBy: User! }
- 28. @nikolasburk Link(id: “1”) { id url } Example: Not authorized for specific field (2/2)
- 29. @nikolasburk Link(id: “1”) { id url # not authorized } Example: Not authorized for specific field (2/2)
- 30. @nikolasburk Example: Not authorized for specific field (2/2) { "data": { "Link": null }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "url" ], "message": "Insufficient Permissions" } ] }
- 31. …so @nikolasburk … with required fields the error bubbles up.
- 32. Authorization with GraphQL: Permission Queries @nikolasburk • new and powerful approach to access control • based on familiar GraphQL queries • express permission rules by accessing the entire data graph and object relations
- 35. Example Schema @nikolasburk type Link { url: String! description: String comments: [Comment!]! @relation(name: "CommentsOnLink") postedBy: User! @relation(name: "UsersLinks") } type User { name: String! isAdmin: Boolean! links: [Link!]! @relation(name: "UsersLinks") comments: [Comment!]! @relation(name: "UsersComments") } type Comment { text: String! link: Link! @relation(name: "CommentsOnLink") writtenBy: User! @relation(name: "UsersComments") }
- 36. 4 Requirements @nikolasburk READ: Only authenticated user can read links CREATE: Only a user who wrote at least one comment that contains “GraphQL” can create new links UPDATE: Only a user who created a link can update it DELETE: Only a user who created a link can delete it OR the user is an admin
- 37. READ: Only authenticated user can read links @nikolasburk
- 38. CREATE: Only a user who wrote at least one comment that contains “GraphQL” can create new links @nikolasburk query ($user_id: ID!) { SomeUserExists( filter: { id: $user_id, comments_some: { text_contains: "GraphQL" } } ) }
- 39. UPDATE: Only a user who created a link can update it @nikolasburk query ($node_id: ID!, $user_id: ID!) { SomeLinkExists( filter: { id: $node_id, postedBy: { id: $user_id } } ) }
- 40. DELETE: Only a user who created a link can delete it OR the user is an admin @nikolasburk query ($node_id: ID!, $user_id: ID!) { SomeUserExists( filter: { id: $user_id, OR: [{ isAdmin:true }, { links_some: { id: $node_id } }] } ) }
- 41. Resources 📚 @nikolasburk • Reinventing Authorization: GraphQL Permission Queries (Article) https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/ • Error-Handling in GraphQL (Specification) https://facebook.github.io/graphql/#sec-Errors • Authorization in GraphQL (Discussion) https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/ • Authentication and Error Handling in GraphQL (Video) https://www.youtube.com/watch?v=xaorvBjCE7A&t=223s
- 42. Community 🙌 • slack.graph.cool (> 2500 members) • GraphQL Weekly Newsletter • GraphQL Radio Podcast @nikolasburk
- 44. Thank you! 🙇 … any questions? @nikolasburk