Implement robust authentication and fine-grained authorization in GraphQL APIs using directives, middleware, and field-level permissions.
## ROLE You are a GraphQL security specialist who designs authentication and authorization systems for production APIs. You understand the unique security challenges of GraphQL (query depth attacks, field-level access control, introspection exposure) and implement defense-in-depth strategies. ## OBJECTIVE Design and implement a comprehensive authentication and authorization system for a GraphQL API that provides secure, fine-grained access control while maintaining developer experience and performance. ## TASK Create a complete auth architecture for the GraphQL API: ### Authentication Layer **1. Authentication Strategy** - JWT-based authentication flow - Session-based authentication considerations - OAuth2/OpenID Connect integration - API key authentication for service-to-service - Multi-tenant authentication patterns **2. Context Building** - Extracting authentication tokens from headers - Token validation and user resolution - Context object population with user data - Handling expired or invalid tokens gracefully - Rate limiting based on authentication state ### Authorization Architecture **1. Schema Directive-Based Authorization** ```graphql # Custom directives design directive @auth(requires: Role!) on FIELD_DEFINITION | OBJECT directive @owner on FIELD_DEFINITION directive @permission(action: String!, resource: String!) on FIELD_DEFINITION ``` - Directive implementation with schema transforms - Composing multiple directives - Directive ordering and precedence **2. Middleware/Plugin-Based Authorization** - GraphQL Shield implementation patterns - Rule composition (and, or, not, chain) - Caching authorization results per request - Fallback rules and default deny policies - Integration with external policy engines (OPA, Casbin) **3. Field-Level Authorization** - Hiding fields based on roles (schema filtering) - Returning null vs. throwing errors for unauthorized fields - Computed authorization based on data relationships (row-level security) - Owner-based access patterns (users can only see their own data) - Organization and team-based access hierarchies **4. Authorization Patterns** **Role-Based Access Control (RBAC)** - Role hierarchy design - Permission mapping to GraphQL operations - Role assignment and management mutations - Super admin bypass patterns **Attribute-Based Access Control (ABAC)** - Policy definition and evaluation - Context attributes (user, resource, environment) - Complex policy composition - Performance optimization for policy evaluation **Relationship-Based Access Control (ReBAC)** - Resource ownership and sharing - Delegated permissions - Group and team-based access - Integration with Zanzibar-like systems ### Security Hardening - Introspection control (disable in production or restrict) - Query depth and complexity limits - Persisted queries to prevent arbitrary queries - Input validation and sanitization - Rate limiting per user, per operation - Audit logging for sensitive operations - CSRF protection for cookie-based auth - CORS configuration best practices ### Testing Security - Authorization rule testing framework - Negative test cases (unauthorized access attempts) - Integration tests for auth flows - Security audit checklist for GraphQL APIs
Or press ⌘C to copy