Authorization in GraphQL

In the field of GraphQL API building security is a primary consideration. A security measure that allows access to resources and functionalities on an API is the authorization that is used to ensure security.

In this article, We will learn about the type and field authorization state in GraphQL, including resolver authorization, field authorization, and the case deploying two approaches.

Authorization in GraphQL

• Authorization in GraphQL is used to control access and block users from certain operations and resources based on their assigned roles and permissions.
• It ensures that only authenticated users with the appropriate permission level can query or mutate data.
• Authorization can be applied at the type, field, or resolver level and allow for control over parts of the API schema.
• GraphQL API implementation ensures the safety of sensitive data by withholding it from unauthorized access through the enforcement of authorization rules.
• It also ensures the continuity of data by maintaining control over who can access and modify it.

Understanding Type Authorization in GraphQL

• In GraphQL, type authorization helps keep our data secure by controlling who can access different parts of our GraphQL schema based on their roles or permissions.
• This means that we can decide which parts of our API users can access and what they can do with the data.
• For example, we might want to restrict certain users from accessing sensitive information or limit who can make changes to certain types of data.
• By setting up type authorization, we can ensure that only authorized users can query or modify specific parts of our API, helping to keep our data safe and secure

Implementation:

Let’s consider an example of type authorization in a GraphQL schema definition using Ruby on Rails with the authorize directive:

# Define a module for GraphQL types
module Types
  # Define a class for the ProjectType GraphQL object
  class ProjectType < BaseObject
    # Authorize the read_project permission for this type
    authorize :read_project
  end
end

Explanation: In the above code, we declare an object type called ProjectType within the Types module. The ProjectType class extends from BaseObject, which is a recommended practice in the case of a GraphQL schema definition. Then, we will authorize read_project permission to enable this object type to be accessed. It means that only users who have a read_project permission will be allowed to carry out columns inquiry or modification. It defines the GraphQL strict-type-based authorization which allows for granting or denying access based on permissions defined for whole types.

Resolver Authorization

• Resolver authentication is also a function of access control. It involves granting access to individual resolver functions that comprise the GraphQL API.
• Development gets the power to implement the intra accessing control based on the action to be carried out by the user.

Implementation:

Now, Let’s take resolver authorization as an instance for a possible GraphQL resolver function in JavaScript with Apollo Server. Here is an example of how resolver authorization can be implemented using Apollo Server middleware.

const server = new ApolloServer({
  typeDefs,
  resolvers,
  context: ((req) => {
    const user = getUser(req);
    return { user };
  }),
  plugins: [
    {
      requestDidStart(requestContext) {
        return {
          // Called before each field is resolved
          async resolveField({ origin, arguments, context, info }) {
            // Make sure the field being resolved is authorized by checking for authorization.
            if (context.user.isAdmin !== true && info.fieldName === 'adminData') {
              throw new Error('Unauthorized access');
            }
          },
        };
      },
    },
  ],
});

Field Authorization

A field authorization consists of limiting access to some fields or attributes of GraphQL types. This raises the possibility to limit access to the data fields with the role or permissions of the user

Implementation: In this case an example of the field authorization of a GraphQL schema definition via GraphQL schema directives will be considered.

# GraphQL enforcement example with schema directives
type SensitiveData {
id: ID!
sensitiveField: String!@auth(requires: ADMIN)
publicField: String!
}

Type and Field Authorizations Together

Using both typed and field-level authorization mechanisms allows for comprehensive control over API access. Type authorization enables developers to restrict read/write access to entire types or schemas, while field authorization provides a more granular level of control over specific fields or attributes. Combining these approaches ensures that only authorized users can access certain parts of the API, enhancing security and data protection.

Implementation: Let’s Implement a multi-level based authentication, where the merge of type and data filed authorization rules is used. Employ type-level authorization restrictions to display entire types, and field-level authorization checks to allow granting specific access granularly within those types.

module Types
  class ProjectType < BaseObject
    # Authorize the user to read the project
    authorize :read_project

    # Define a field for the sensitive field
    field :sensitive_field, String, null: false

    # Authorize only admins to access this field
    authorize :admin_only
  end
end

Conclusion

Overall, Security in a GraphQL API is maintained through type and field authorization, which helps prevent unauthorized access to sensitive data. By using authorization mechanisms, developers can apply strict access controls and address security concerns. Whether it’s resolver authorization, field authorization, or a combination of both, ensuring security in GraphQL API development is crucial for creating robust and secure applications.