Authentication, Authorization & Error Handling with GraphQL
•
4 likes•1,163 views
The document discusses authentication, authorization, and error handling in GraphQL. It begins with an introduction to GraphQL concepts like schemas, queries, and mutations. It then covers challenges with authentication and authorization in GraphQL, and how errors are returned in the GraphQL specification. The presentation demonstrates examples of error handling and authorization using permission queries. It concludes by sharing additional resources and announcing job openings.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Authentication, Authorization & Error Handling with GraphQL
Similar to Authentication, Authorization & Error Handling with GraphQL (20)
More from Nikolas Burk
More from Nikolas Burk (8)
Recently uploaded
Recently uploaded (20)
Authentication, Authorization & Error Handling with GraphQL
- 1. Authentication, Authorization & Error Handling with GraphQL
- 2. Nikolas Burk 👋 Developer at Graphcool $ whoami @nikolasburk
- 3. 1. GraphQL Introduction 2. Authentication, Authorization & Error Handling in GraphQL 3. Demo & Practical Examples Agenda @nikolasburk
- 5. What’s GraphQL? • new API standard • developed & open-sourced by Facebook • declarative way of fetching & updating data @nikolasburk
- 6. Schema … defines the data model @nikolasburk type Link { url: String! description: String postedBy: User! } type User { name: String! isAdmin: Boolean! links: [Link!]! }
- 7. Queries … only read data Link(id: “1”) { url postedBy { name } } { “data”: { “Link”: { “url”: “https://graph.cool”, “postedBy”: { “name”: “Sarah” } } } } @nikolasburk
- 8. Queries … only read data @nikolasburk Link(id: “1”) { url postedBy { name } } { “data”: { “Link”: { “url”: “https://graph.cool”, “postedBy”: { “name”: “Sarah” } } } }
- 9. Mutations … write and read data mutation { createLink(url: “https://graph.cool”) { id } } { “data”: { “createLink”: { “id”: “3”, } } } @nikolasburk
- 10. Mutations … write and read data mutation { createLink(url: “https://graph.cool”) { id } } { “data”: { “createLink”: { “id”: “3”, } } } @nikolasburk
- 11. How does it work?
- 12. Authentication, Authorization & Error Handling in GraphQL @nikolasburk
- 13. Authentication vs Authorization @nikolasburk • Authentication: Verifying a user’s identity • Authorization: Specifying data access permissions
- 14. Error Handling with REST @nikolasburk • permissions are handled in API / business logic layer or middleware • no standardized approach • HTTP status codes • permissions expressed in terms of actions
- 15. Challenges with GraphQL @nikolasburk • fine-grained data access • transport-layer agnostic - no status codes • multiple queries in single request are possible
- 16. Error Handling with GraphQL @nikolasburk …described in official GraphQL specification
- 17. Returning errors @nikolasburk { "data": null, "errors": [ ... ] }
- 18. Anatomy of an error @nikolasburk • message: information for the developer • locations?: where in query or mutation (line+column) • path?: which field in the query caused the issue • custom information
- 19. Example: Required field not provided @nikolasburk mutation { createLink(url: “https://graph.cool”) { id } }
- 20. mutation { createLink() { id } } Example: Required field not provided @nikolasburk required url argument is missing ❌
- 21. { "data": null, "errors": [ { "message": "Field 'createLink' argument 'url' of type 'String!' is required but not provided.", "locations": [ { "line": 2, "column": 3 } ], "path": [ "createLink" ] } ] } Example: Required field not provided @nikolasburk required url argument is missing ❌
- 22. @nikolasburk Link(id: “1”) { id description } Example: Not authorized for specific field (1/2)
- 23. @nikolasburk Link(id: “1”) { id description # not authorized } Example: Not authorized for specific field (1/2)
- 24. @nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "description" ], "message": "Insufficient Permissions", } ] } Example: Not authorized for specific field (1/2)
- 25. @nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "description" ], "message": "Insufficient Permissions", } ] } Example: Not authorized for specific field (1/2)
- 26. @nikolasburk { "data": { "Link": { "id": "1", "description": null } }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "description" ], "message": "Insufficient Permissions", } ] } Example: Not authorized for specific field (1/2)
- 27. …but @nikolasburk … this only works for non-required fields like description. type Link { url: String! description: String postedBy: User! }
- 28. @nikolasburk Link(id: “1”) { id url } Example: Not authorized for specific field (2/2)
- 29. @nikolasburk Link(id: “1”) { id url # not authorized } Example: Not authorized for specific field (2/2)
- 30. @nikolasburk Example: Not authorized for specific field (2/2) { "data": { "Link": null }, "errors": [ { "locations": [ { "line": 4, "column": 5 } ], "path": [ "Link", "url" ], "message": "Insufficient Permissions" } ] }
- 31. …so @nikolasburk … with required fields the error bubbles up.
- 32. Authorization with GraphQL: Permission Queries @nikolasburk • new and powerful approach to access control • based on familiar GraphQL queries • express permission rules by accessing the entire data graph and object relations
- 35. Example Schema @nikolasburk type Link { url: String! description: String comments: [Comment!]! @relation(name: "CommentsOnLink") postedBy: User! @relation(name: "UsersLinks") } type User { name: String! isAdmin: Boolean! links: [Link!]! @relation(name: "UsersLinks") comments: [Comment!]! @relation(name: "UsersComments") } type Comment { text: String! link: Link! @relation(name: "CommentsOnLink") writtenBy: User! @relation(name: "UsersComments") }
- 36. 4 Requirements @nikolasburk READ: Only authenticated user can read links CREATE: Only a user who wrote at least one comment that contains “GraphQL” can create new links UPDATE: Only a user who created a link can update it DELETE: Only a user who created a link can delete it OR the user is an admin
- 37. READ: Only authenticated user can read links @nikolasburk
- 38. CREATE: Only a user who wrote at least one comment that contains “GraphQL” can create new links @nikolasburk query ($user_id: ID!) { SomeUserExists( filter: { id: $user_id, comments_some: { text_contains: "GraphQL" } } ) }
- 39. UPDATE: Only a user who created a link can update it @nikolasburk query ($node_id: ID!, $user_id: ID!) { SomeLinkExists( filter: { id: $node_id, postedBy: { id: $user_id } } ) }
- 40. DELETE: Only a user who created a link can delete it OR the user is an admin @nikolasburk query ($node_id: ID!, $user_id: ID!) { SomeUserExists( filter: { id: $user_id, OR: [{ isAdmin:true }, { links_some: { id: $node_id } }] } ) }
- 41. Resources 📚 @nikolasburk • Reinventing Authorization: GraphQL Permission Queries (Article) https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/ • Error-Handling in GraphQL (Specification) https://facebook.github.io/graphql/#sec-Errors • Authorization in GraphQL (Discussion) https://www.graph.cool/blog/2017-04-25-graphql-permission-queries-oolooch8oh/ • Authentication and Error Handling in GraphQL (Video) https://www.youtube.com/watch?v=xaorvBjCE7A&t=223s
- 42. Community 🙌 • slack.graph.cool (> 2500 members) • GraphQL Weekly Newsletter • GraphQL Radio Podcast @nikolasburk
- 44. Thank you! 🙇 … any questions? @nikolasburk