docs: add page on authorization strategies #4396
Conversation
Co-authored-by: Jovi De Croock <[email protected]>
| If you've read through the docs linearly to get to this point, congratulations! You now know everything you need to build a practical GraphQL API server. | ||
| Want to control access to specific operations or fields? See [Authorization Strategies](\pages\docs\authorization-strategies.mdx). |
There was a problem hiding this comment.
Is it right that this is using backslashes?
| - Keep authorization logic close to business logic. Resolvers are often the | ||
| right place to keep authorization logic. |
There was a problem hiding this comment.
This does not feel like the right messaging to me; in general we encourage that authorization logic should be inside the business logic, and that resolvers should not be used for authorization. You should be able to expose the same business logic over GraphQL, REST, RPC, or any other API approach without having to re-implement authorization - GraphQL is just a method of access to these underlying methods.
From https://graphql.org/learn/authorization/:
Defining authorization logic inside the resolver is fine when learning GraphQL or prototyping. However, for a production codebase, delegate authorization logic to the business logic layer.
We also highlight this approach in the "thinking in graphs" article:
Adds page on authorization strategies, right after authentication/middleware page Also adds a "Before you start" section about using ESM syntax JS code snippets --------- Co-authored-by: Jovi De Croock <[email protected]>
Adds page on authorization strategies, right after authentication/middleware page Also adds a "Before you start" section about using ESM syntax JS code snippets --------- Co-authored-by: Jovi De Croock <[email protected]>
3 participants
Adds page on authorization strategies, right after authentication/middleware page
Also adds a "Before you start" section about using ESM syntax JS code snippets