A Guide on GraphQL Authorization
The GraphQL spec is very open-ended. It leaves many concerns to be implemented by programmers as they see fit. Among the concerns that are not strictly outlined in the spec are Authentication and Authorization. In this article, I’ll walk you through one possible approach to building a great authorization framework for use in your GraphQL API.
I’ll assume that the reader already have a basic understanding of backend development in general and have built at least basic GraphQL APIs before. If you haven’t, please take a quick look at the official graphql tutorial.
Before we get into authorization, let’s have a super basic authentication setup in our GraphQL server. We won’t get into the login/signup flows. But we should at the very least have a way to identify who exactly is using our GraphQL API.
Here we’re using apollo-server. The same can be implemented using any other spec-compliant graphql server. Implementing getAuthenticatedUser function is beyond the scope of this article. But no matter how it’s implemented. It should return a Promise of a user object. That way, queries won’t have to be blocked on authenticated user unless it is necessary.
/https%3A%2F%2Ftf-cmsv2-smithsonianmag-media.s3.amazonaws.com%2Ffiler_public%2F73%2F5c%2F735ce030-bc9a-4925-a4da-4eaa225bc873%2Fgettyimages-1413268947.jpg)
