Handling Authentication and Authorization in GraphQL
Ryan Chenkie
@ryanchenkie
- Developer Advocate @ Auth0
- Google Developer Expert
- Angularcasts.io,
- GraphQLWorkshops.com
Phenix
Phenix from Slack
Provisioning tools are centered around permissions
How do we add authentication and authorization?
However we want!
GraphQL doesn't have an opinion about auth
But that's not very helpful
Let's look at some ways it can be done
1. Wrapping Resolvers
2. Custom Directives
API auth needs to answer a few questions
- Is the requested data private?
- Does the request contain authentication/authorization information?
- Is that information valid?
Getting users to prove their identity is another topic
Typical Auth in REST
const authMiddleware = (req, res, next) => {
if (userIsAuthenticated(req)) {
next();
} else {
res.status(401).send("Sorry, you're not allowed here!");
}
app.get('/private-data', authMiddleware, (req, res) => {
res.send(somePrivateData);
});
We want something similar in GraphQL
But not this...
const authMiddleware = ...
app.use('/graphql', authMiddleware, graphqlHTTP({
schema
});
We need something that
- Isn't a catch-all
- Gives us info on the authenticated user
- Allows us to handle auth errors appropriately
How do we get there?
1. Wrapping Resolvers
Two Steps to Auth
- Verify authentication info is legit
- Use it to make authorization decisions
First we need to verify authentication
const jwt = require('express-jwt');
const jwtDecode = require('jwt-decode');
const jwtMiddleware = jwt({ secret: 'some-strong-secret-key' });
const getUserFromJwt = (req, res, next) => {
const authHeader = req.headers.authorization;
req.user = jwtDecode(authHeader);
next();
}
app.use(jwtMiddleware);
app.use(getUserFromJwt);
Now we can use the payload in our resolvers
const resolvers = {
Query: {
articlesByAuthor: (_, args, context) => {
return model.getArticles(context.user.sub);
}
}
}
We can also do authorization checks
const resolvers = {
Query: {
articlesByAuthor: (_, args, context) => {
const scope = context.user.scope;
if (scope.includes('read:articles')) {
return model.getArticles(context.user.id);
}
}
}
}
This can get a bit repetitive
We can wrap the resolver instead
A resolver which needs to check scopes
const checkScopeAndResolve = (scope, expectedScope, controller) => {
const hasScope = scope.includes(expectedScope);
if (!expectedScopes.length || hasScope) {
return controller.apply(this);
}
}
const controller = model.getArticles(context.user.id);
const resolvers = {
Query: {
articlesByAuthor: (_, args, context)
=> checkScopeAndResolve(
context.user.scope,
['read:articles'],
controller
);
}
}
Let's get smarter about checking the JWT
Check the JWT in the wrapper
import { createError } from 'apollo-errors';
import jwt from 'jsonwebtoken';
const AuthorizationError = createError('AuthorizationError', {
message: 'You are not authorized!'
});
const checkScopeAndResolve = (context, expectedScope, controller) => {
const token = context.headers.authorization;
try {
const jwtPayload = jwt.verify(token.replace('Bearer ', ''), secretKey);
const hasScope = jwtPayload.scope.includes(expectedScope);
if (!expectedScopes.length || hasScope) {
return controller.apply(this);
}
} catch (err) {
throw new AuthorizationError();
}
}
2. Custom Directives
What if we want to limit access to specific fields?
We can use custom directives
Directives give our queries more power
query Hero($episode: Episode, $withFriends: Boolean!) {
hero(episode: $episode) {
name
friends @include(if: $withFriends) {
name
}
}
}
We can use custom directives on our server
const typeDefs = `
directive @isAuthenticated on QUERY | FIELD
directive @hasScope(scope: [String]) on QUERY | FIELD
type Article {
id: ID!
author: String!
reviewerComments: [ReviewerComment] @hasScope(scope: ["read:comments"])
}
type Query {
allArticles: [Article] @isAuthenticated
}
`;
Defining Custom Directives
const directiveResolvers = {
isAuthenticated(result, source, args, context) {
const token = context.headers.authorization;
// ...
},
hasScope(result, source, args, context) {
const token = context.headers.authorization;
// ...
}
};
const attachDirectives = schema => {
forEachField(schema, field => {
const directives = field.astNode.directives;
directives.forEach(directive => {
...
});
});
};
github.com/chenkie/graphql-auth
With this pattern we get
- A clean API
- Possibility for per-field authorization checks
- Resolver-level authentication checks
There are many ways to do auth in GraphQL
Try a few, see what works best, combine them if you want
However we want!
Thank you!
@ryanchenkie
bit.ly/graphql-auth
graphqlworkshops.com
Handling Authentication and Authorization in GraphQL
By Ryan Chenkie
Handling Authentication and Authorization in GraphQL
Auth for GraphQL can be tricky. It's easy to lock down the entire endpoint but this is often too much. How do we get more specific? Let's talk about the available options and best practices for auth in GraphQL. You'll come away knowing everything you need to get a working auth solution in place
- 3,117