The document discusses authentication, authorization, and error handling in GraphQL. It begins with an introduction to GraphQL concepts like schemas, queries, and mutations. It then covers challenges with authentication and authorization in GraphQL, and how errors are returned in the GraphQL specification. The presentation demonstrates examples of error handling and authorization using permission queries. It concludes by sharing additional resources and announcing job openings.

1. Authentication, Authorization &
Error Handling with GraphQL

2. Nikolas Burk 👋
Developer at Graphcool
$ whoami
@nikolasburk

3. 1. GraphQL Introduction
2. Authentication, Authorization &
Error Handling in GraphQL
3. Demo & Practical Examples
Agenda
@nikolasburk

4. GraphQL Introduction
@nikolasburk

5. What’s GraphQL?
• new API standard
• developed & open-sourced by Facebook
• declarative way of fetching & updating data
@nikolasburk

6. Schema
… defines the data model
@nikolasburk
type Link {
url: String!
description: String
postedBy: User!
}
type User {
name: String!
isAdmin: Boolean!
links: [Link!]!
}

7. Queries
… only read data
Link(id: “1”) {
url
postedBy {
name
}
}
{
“data”: {
“Link”: {
“url”: “https://graph.cool”,
“postedBy”: {
“name”: “Sarah”
}
}
}
}
@nikolasburk

8. Queries
… only read data
@nikolasburk
Link(id: “1”) {
url
postedBy {
name
}
}
{
“data”: {
“Link”: {
“url”: “https://graph.cool”,
“postedBy”: {
“name”: “Sarah”
}
}
}
}

9. Mutations
… write and read data
mutation {
createLink(url: “https://graph.cool”) {
id
}
}
{
“data”: {
“createLink”: {
“id”: “3”,
}
}
}
@nikolasburk

10. Mutations
… write and read data
mutation {
createLink(url: “https://graph.cool”) {
id
}
}
{
“data”: {
“createLink”: {
“id”: “3”,
}
}
}
@nikolasburk

11. How does it work?

12. Authentication, Authorization
& Error Handling in GraphQL
@nikolasburk

13. Authentication vs Authorization
@nikolasburk
• Authentication: Verifying a user’s identity
• Authorization: Specifying data access permissions

14. Error Handling with REST
@nikolasburk
• permissions are handled in API / business
logic layer or middleware
• no standardized approach
• HTTP status codes
• permissions expressed in terms of actions

15. Challenges with GraphQL
@nikolasburk
• fine-grained data access
• transport-layer agnostic - no status codes
• multiple queries in single request are possible

16. Error Handling with GraphQL
@nikolasburk
…described in official
GraphQL specification

17. Returning errors
@nikolasburk
{
"data": null,
"errors": [
...
]
}

18. Anatomy of an error
@nikolasburk
• message: information for the developer
• locations?: where in query or mutation (line+column)
• path?: which field in the query caused the issue
• custom information

19. Example: Required field not provided
@nikolasburk
mutation {
createLink(url: “https://graph.cool”) {
id
}
}

20. mutation {
createLink() {
id
}
}
Example: Required field not provided
@nikolasburk
required url argument is missing ❌

21. {
"data": null,
"errors": [
{
"message": "Field 'createLink' argument 'url' of type 'String!' is required but not provided.",
"locations": [
{
"line": 2,
"column": 3
}
],
"path": [ "createLink" ]
}
]
}
Example: Required field not provided
@nikolasburk
required url argument is missing ❌

22. @nikolasburk
Link(id: “1”) {
id
description
}
Example: Not authorized for specific field (1/2)

23. @nikolasburk
Link(id: “1”) {
id
description # not authorized
}
Example: Not authorized for specific field (1/2)

24. @nikolasburk
{
"data": {
"Link": {
"id": "1",
"description": null
}
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "description" ],
"message": "Insufficient Permissions",
}
]
}
Example: Not authorized for specific field (1/2)

25. @nikolasburk
{
"data": {
"Link": {
"id": "1",
"description": null
}
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "description" ],
"message": "Insufficient Permissions",
}
]
}
Example: Not authorized for specific field (1/2)

26. @nikolasburk
{
"data": {
"Link": {
"id": "1",
"description": null
}
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "description" ],
"message": "Insufficient Permissions",
}
]
}
Example: Not authorized for specific field (1/2)

27. …but
@nikolasburk
… this only works for non-required fields like description.
type Link {
url: String!
description: String
postedBy: User!
}

28. @nikolasburk
Link(id: “1”) {
id
url
}
Example: Not authorized for specific field (2/2)

29. @nikolasburk
Link(id: “1”) {
id
url # not authorized
}
Example: Not authorized for specific field (2/2)

30. @nikolasburk
Example: Not authorized for specific field (2/2)
{
"data": {
"Link": null
},
"errors": [
{
"locations": [
{
"line": 4,
"column": 5
}
],
"path": [ "Link", "url" ],
"message": "Insufficient Permissions"
}
]
}

31. …so
@nikolasburk
… with required fields the error bubbles up.

32. Authorization with GraphQL:
Permission Queries
@nikolasburk
• new and powerful approach to access control
• based on familiar GraphQL queries
• express permission rules by accessing the entire
data graph and object relations

33. Permissions with Graphcool
@nikolasburk

34. Demo
&
Practical Examples
@nikolasburk

35. Example Schema
@nikolasburk
type Link {
url: String!
description: String
comments: [Comment!]! @relation(name: "CommentsOnLink")
postedBy: User! @relation(name: "UsersLinks")
}
type User {
name: String!
isAdmin: Boolean!
links: [Link!]! @relation(name: "UsersLinks")
comments: [Comment!]! @relation(name: "UsersComments")
}
type Comment {
text: String!
link: Link! @relation(name: "CommentsOnLink")
writtenBy: User! @relation(name: "UsersComments")
}

36. 4 Requirements
@nikolasburk
READ: Only authenticated user can read links
CREATE: Only a user who wrote at least one comment
that contains “GraphQL” can create new links
UPDATE: Only a user who created a link can update it
DELETE: Only a user who created a link can delete it
OR the user is an admin

37. READ: Only authenticated user
can read links
@nikolasburk

38. CREATE: Only a user who wrote at least one
comment that contains “GraphQL” can
create new links
@nikolasburk
query ($user_id: ID!) {
SomeUserExists(
filter: {
id: $user_id,
comments_some: {
text_contains: "GraphQL"
}
}
)
}

39. UPDATE: Only a user who created a link
can update it
@nikolasburk
query ($node_id: ID!, $user_id: ID!) {
SomeLinkExists(
filter: {
id: $node_id,
postedBy: {
id: $user_id
}
}
)
}

40. DELETE: Only a user who created a link
can delete it OR the user is an admin
@nikolasburk
query ($node_id: ID!, $user_id: ID!) {
SomeUserExists(
filter: {
id: $user_id,
OR: [{
isAdmin:true
}, {
links_some: {
id: $node_id
}
}]
}
)
}

41. Resources 📚
@nikolasburk
• Reinventing Authorization: GraphQL Permission Queries (Article)
https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/
• Error-Handling in GraphQL (Specification)
https://facebook.github.io/graphql/#sec-Errors
• Authorization in GraphQL (Discussion)
https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/
• Authentication and Error Handling in GraphQL (Video)
https://www.youtube.com/watch?v=xaorvBjCE7A&t=223s

42. Community 🙌
• slack.graph.cool (> 2500 members)
• GraphQL Weekly Newsletter
• GraphQL Radio Podcast
@nikolasburk

43. We’re hiring!
www.graph.cool/jobs
@nikolasburk

44. Thank you! 🙇
… any questions?
@nikolasburk