Authorization in GraphQL

However, most API backends require authentication and authorization. In GraphQL there are many ways to achieve this.

In this article, I’ll discuss one such approach to implement authorization.

The getPosts query does not need an authenticated user. On the other hand the createPost mutation strictly requires an authenticated user.

The isAuthenticated directive attached to the createPost validates the authentication token and based on the strict flag throws a GraphQL error if authorization fails.

Using a GraphQL directive to handle authorization has couple of benefits:

Our token handling code lives in the directive. Thus the resolvers can simply use the fully hydrated user object via context.currentUser If needed we can extend the directive to support a role based authorization by simply accepting another arg @isAuthenticated(strict: true, roles: ['ADMIN'])

The @isAuthenticated directive is specified next to the fields in the schema.graphql so it’s easy to see which APIs require authenticated user. Also we are updating the field.description with the 🔑! So it will be visible in the GraphiQL or the playground UI. We can also document the roles required to access the API and so on.

Agree? Disagree? Questions? Just let me know here in the comments. And if you’ve enjoyed this article, please consider 💖ing and sharing it!

Related posts:

As most of you will have noticed or heard we recently updated a lot on Xiphos.Exchange. To make it a bit easier to know what we added/changed we have decided to release this changelog. Every big…

Alhamdulillah wa tabaaraka rahmaan. Dini hari ini, kalau boleh mengutip ungkapan guru kita Ustadz Salim A Fillah, saya diizinkan Allah untuk mengecap lapis lapis keberkahan. Siapa yang mengira…