Authentication with GraphQL
Authentication with GraphQL is left up to the developer. The GraphQL spec does not define any protocols, interfaces, patterns or best practises for authenticating users — and I think that is a good thing.
The GraphQL specification is intentionally silent on a handful of important issues facing APIs such as dealing with the network, authorization, and pagination. This doesn’t mean that there aren’t solutions for these issues when using GraphQL, just that they’re outside the description about what GraphQL is and instead just common practice.
— GraphQL.org
I work on many projects that use GraphQL and I’ve come up with a pattern for Authentication that has worked really well in all of them. It might not be the best pattern for you, but it is certainly one of the simplest.
Implementation
The client makes a query to a GraphQL sign-in field with the users email and password. The server then validates those credentials and if correct will pass back an encrypted session cookie that contains the corresponding users id.
Demo
Demo User Authentication GraphiQL
http://us-central1-kiwi-ninja-examples.cloudfunctions.net/user_auth
and finally the source code is available here:
https://gitlab.com/kiwi-ninja/example-projects/tree/master/user_auth