You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/pages/security/securing-a-graphql-api.adoc
+39-9Lines changed: 39 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,24 +18,54 @@ Lorem ipsum.
18
18
19
19
=== Authentication
20
20
21
-
Lorem ipsum.
22
-
Explanation on different auth options.
21
+
The xref:security/authentication.adoc[`@authentication` directive] can be applied globally, only to certain fields or only to certain types, and only for certain operations.
23
22
24
23
25
-
==== JWT
24
+
==== JSON Web Token (JWT) authentication
26
25
27
-
Lorem ipsum.
26
+
JWT authentication is a popular method for token-based authentication.
27
+
It allows clients to obtain and use tokens to authenticate subsequent requests.
28
+
29
+
JWT are represent encoded JSON data.
30
+
These data can have arbitrary fields - which ones they should contain depends on the application preferences.
31
+
For instance, if the server side is trying to parse a field `roles_INCLUDES`, then the JWT should contain that.
32
+
33
+
[source, graphql, indent=0]
34
+
----
35
+
//Example
36
+
----
37
+
38
+
You can encode and decode JWT using a site like link:https://www.jwt.io/[https://www.jwt.io/].
28
39
29
40
30
-
==== Lorem?
41
+
//==== Other methods?
31
42
32
-
ipsum.
43
+
//Lorem ipsum.
33
44
34
45
35
46
=== Authorization
36
47
37
-
Validate versus filter.
38
-
We want to ensure we don't report back database internals to end users. Validate throws an error, which could be a hint of what exists or not.
48
+
The xref:security/authorization.adoc[`@authorization` directive] can either be used to filter out data which users should not have access to or throw an error if a query is executed against such data.
49
+
50
+
Both have their own use cases:
51
+
52
+
[source, graphql, indent=0]
53
+
----
54
+
//Example for filtering
55
+
----
56
+
57
+
Lorem ipsum.
58
+
59
+
[source, graphql, indent=0]
60
+
----
61
+
//Example for validation
62
+
----
63
+
64
+
Lorem ipsum.
65
+
66
+
It is important to be aware that error messages generated through validation can be a security concern since they can report database internals to your users.
67
+
68
+
Also see <<best-practice-internal-errors>> on this page.
39
69
40
70
41
71
== Best practice checklist
@@ -50,7 +80,7 @@ While the xref:getting-started/graphql-aura.adoc[Getting started page for GraphQ
50
80
Both potentially expose information that can be used to gain insight on specifics of your GraphQL schema and execute targeted malicious opLorem ipsumerations.
51
81
Be sure to deactivate both in a customer-facing real-life scenario.
52
82
53
-
83
+
[[best-practice-internal-errors]]
54
84
=== Catch internal errors
55
85
56
86
For the same reason it is advisable to avoid introspection and data field suggestions, it can make your API more secure to catch internal errors and redact which information you want to pass on to the end user.
0 commit comments