5. What’s GraphQL?
• new API standard
• developed & open-sourced by Facebook
• declarative way of fetching & updating data
@nikolasburk
6. Schema
… defines the data model
@nikolasburk
type Link {
url: String!
description: String
postedBy: User!
}
type User {
name: String!
isAdmin: Boolean!
links: [Link!]!
}
14. Error Handling with REST
@nikolasburk
• permissions are handled in API / business
logic layer or middleware
• no standardized approach
• HTTP status codes
• permissions expressed in terms of actions
15. Challenges with GraphQL
@nikolasburk
• fine-grained data access
• transport-layer agnostic - no status codes
• multiple queries in single request are possible
16. Error Handling with GraphQL
@nikolasburk
…described in official
GraphQL specification
18. Anatomy of an error
@nikolasburk
• message: information for the developer
• locations?: where in query or mutation (line+column)
• path?: which field in the query caused the issue
• custom information
19. Example: Required field not provided
@nikolasburk
mutation {
createLink(url: “https://graph.cool”) {
id
}
}
32. Authorization with GraphQL:
Permission Queries
@nikolasburk
• new and powerful approach to access control
• based on familiar GraphQL queries
• express permission rules by accessing the entire
data graph and object relations
35. Example Schema
@nikolasburk
type Link {
url: String!
description: String
comments: [Comment!]! @relation(name: "CommentsOnLink")
postedBy: User! @relation(name: "UsersLinks")
}
type User {
name: String!
isAdmin: Boolean!
links: [Link!]! @relation(name: "UsersLinks")
comments: [Comment!]! @relation(name: "UsersComments")
}
type Comment {
text: String!
link: Link! @relation(name: "CommentsOnLink")
writtenBy: User! @relation(name: "UsersComments")
}
36. 4 Requirements
@nikolasburk
READ: Only authenticated user can read links
CREATE: Only a user who wrote at least one comment
that contains “GraphQL” can create new links
UPDATE: Only a user who created a link can update it
DELETE: Only a user who created a link can delete it
OR the user is an admin
38. CREATE: Only a user who wrote at least one
comment that contains “GraphQL” can
create new links
@nikolasburk
query ($user_id: ID!) {
SomeUserExists(
filter: {
id: $user_id,
comments_some: {
text_contains: "GraphQL"
}
}
)
}
39. UPDATE: Only a user who created a link
can update it
@nikolasburk
query ($node_id: ID!, $user_id: ID!) {
SomeLinkExists(
filter: {
id: $node_id,
postedBy: {
id: $user_id
}
}
)
}
40. DELETE: Only a user who created a link
can delete it OR the user is an admin
@nikolasburk
query ($node_id: ID!, $user_id: ID!) {
SomeUserExists(
filter: {
id: $user_id,
OR: [{
isAdmin:true
}, {
links_some: {
id: $node_id
}
}]
}
)
}
41. Resources 📚
@nikolasburk
• Reinventing Authorization: GraphQL Permission Queries (Article)
https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/
• Error-Handling in GraphQL (Specification)
https://facebook.github.io/graphql/#sec-Errors
• Authorization in GraphQL (Discussion)
https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/
• Authentication and Error Handling in GraphQL (Video)
https://www.youtube.com/watch?v=xaorvBjCE7A&t=223s