Handling Auth with GraphQL

I have been developing RESTful services for some 6+ years now and GraphQL for the last year has been on my mind to explore, to see if it can be an alternative to my approach of creating web services.

I used Node.js and there are many GraphQL libraries to choose from, I opted for Express GraphQL.

“The reference implementation of a GraphQL API server over an Express webserver. You can use this to run GraphQL in conjunction with a regular Express webserver, or as a standalone GraphQL server.”

After a lot of searching, reading and watching, I found that Apollo Server is a very popular library, there are many resources available online that will help you get started. Personally, I found that it adds a lot of abstraction layers and I wanted to keep it as light as possible.

I do not dislike Apollo GraphQL, I just really like Express 😁

Once familiar with resolvers, querying and mutating data with grapiql or any frontend client, your brain will ask you the next questions,

how do I,

Use authentication & authorization

First, the difference, authentication confirms that users are who they say they are, like logging in to your app and getting the token back. Authorization lets the users access certain resources, permissions can be stored within your token.

As I’m using Express, I can use Express middleware to manage my auth requirements. This is slightly different to managing auth with REST as you can manage this for each endpoint and some endpoint do not require auth, we only have one endpoint.

So we create the auth middleware to pass an isAuthproperty on the request object with a value of true or false

For authorization you can create a user property on the request object if the token is valid, and store its contents.

You can access this data through the context argument of your resolvers.

Note, that if you configure the context object on startup, you will have to pass the req object to it and set your context property.

app.use('/graphql', graphqlHTTP(req => ({    
graphiql: {
defaultQuery: require('./default-query'),
headerEditorEnabled: true
context: {
isAuth: req.isAuth,
user: req.user,
error: req.error

Sweet 👍 now we can pass our auth to our resolvers.

The Authorization section on graphql.org recommends to pass the auth to the business logic layer, so that’s what we do.

This is my example of how you could add logic around auth within a data repository.

I’ve created a string array of field names, if the field name is in the array, it requires authentication. After the authentication check, you can create a variable called hasAdminRole , you can check for this within each function that require admin access.

I hope this makes sense, it’s my first post and any feedback is greatly appreciated.

Here is my express-graphql-api project on GitHub.

More to come

Lead Developer. Angular. Node. GraphQL. JavaScript enthusiast.