Jul 21, 2017 · 1 min read
Thank you! For authorization, it depends on how granularly you want to authorize.
If it’s just authorizing “the user is allowed to run GraphQL queries against the DB,” then you can authorize via metadata in the request: you can add credentials in an HTTP header if using GraphQL over JSON, or use a gRPC metadata field if using gRPC. The credentials can then be authenticated and the request authorized by the backend service, prior to compiling the query.
If you’d like to authorize more granularly than that, you could introspect the GraphQL query and determine whether the user is authorized to use the types that the query touches, etc. This would of course be substantially more complex, but also more expressive.
