docs: add page on authorization strategies#4396
Conversation
Co-authored-by: Jovi De Croock <decroockjovi@gmail.com>
benjie
left a comment
benjie
left a comment
There was a problem hiding this comment.
I think we will probably need to revisit this guide to align it better with the standard advice we provide to people building GraphQL APIs; currently it conflicts with the main graphql.org documentation on the topic.
|
|
||
| If you've read through the docs linearly to get to this point, congratulations! You now know everything you need to build a practical GraphQL API server. | ||
|
|
||
| Want to control access to specific operations or fields? See [Authorization Strategies](\pages\docs\authorization-strategies.mdx). No newline at end of file |
There was a problem hiding this comment.
Is it right that this is using backslashes?
| - Keep authorization logic close to business logic. Resolvers are often the | ||
| right place to keep authorization logic. |
There was a problem hiding this comment.
This does not feel like the right messaging to me; in general we encourage that authorization logic should be inside the business logic, and that resolvers should not be used for authorization. You should be able to expose the same business logic over GraphQL, REST, RPC, or any other API approach without having to re-implement authorization - GraphQL is just a method of access to these underlying methods.
From https://graphql.org/learn/authorization/:
Defining authorization logic inside the resolver is fine when learning GraphQL or prototyping. However, for a production codebase, delegate authorization logic to the business logic layer.
We also highlight this approach in the "thinking in graphs" article:
Adds page on authorization strategies, right after authentication/middleware page Also adds a "Before you start" section about using ESM syntax JS code snippets --------- Co-authored-by: Jovi De Croock <decroockjovi@gmail.com>
Adds page on authorization strategies, right after authentication/middleware page Also adds a "Before you start" section about using ESM syntax JS code snippets --------- Co-authored-by: Jovi De Croock <decroockjovi@gmail.com>
3 participants
Adds page on authorization strategies, right after authentication/middleware page
Also adds a "Before you start" section about using ESM syntax JS code snippets