0
0
GraphQLquery~10 mins

Directive-based authorization in GraphQL - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Directive-based authorization
Client sends GraphQL query
GraphQL server parses query
Server checks for authorization directives
Evaluate directive conditions
Allow field
Return data
Send response
The server reads the query, checks authorization directives on fields, allows or denies access accordingly, then returns data or errors.
Execution Sample
GraphQL
query {
  user {
    id
    email @auth(role: "ADMIN")
  }
}
A query requesting user id and email, where email requires ADMIN role authorization.
Execution Table
StepFieldDirective CheckUser RoleAuthorization ResultAction
1userNo directiveUSERAllowedResolve user data
2user.idNo directiveUSERAllowedReturn id value
3user.email@auth(role: "ADMIN")USERDeniedReturn error or null for email
4Response---Send user id and error/null for email
💡 Authorization directive on email fails for USER role, so email is not returned.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3Final
usernull{id: 1, email: 'a@b.com'}{id: 1, email: 'a@b.com'}{id: 1, email: 'a@b.com'}{id: 1, email: null}
user.idnull1111
user.emailnulla@b.coma@b.comdeniednull
Key Moments - 2 Insights
Why is the email field not returned even though it exists in the data?
Because the email field has an @auth directive requiring ADMIN role, and the user role is USER, so authorization fails (see execution_table step 3).
What happens if a field has no authorization directive?
Fields without directives are allowed by default, so their data is returned normally (see execution_table steps 1 and 2).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the authorization result for the user.id field at step 2?
AAllowed
BDenied
CNot checked
DError
💡 Hint
Check the 'Authorization Result' column for step 2 in the execution_table.
At which step does the authorization directive cause a denial?
AStep 1
BStep 2
CStep 3
DStep 4
💡 Hint
Look for the step where 'Authorization Result' is 'Denied' in the execution_table.
If the user role was ADMIN instead of USER, how would the authorization result for user.email change?
AIt would still be Denied
BIt would be Allowed
CIt would be Not checked
DIt would cause an error
💡 Hint
Refer to the 'Directive Check' and 'User Role' columns in the execution_table step 3.
Concept Snapshot
Directive-based authorization in GraphQL:
- Use directives like @auth(role: "ADMIN") on fields
- Server checks user role against directive
- If authorized, field data is returned
- If denied, field returns error or null
- Fields without directives are allowed by default
Full Transcript
Directive-based authorization in GraphQL works by adding special instructions called directives to fields in a query. When a client sends a query, the server reads it and looks for these directives. For each field with a directive, the server checks if the user has the required role. If yes, the field's data is returned. If not, the field returns an error or null. Fields without directives are returned normally. For example, if a field requires ADMIN role but the user is USER, that field's data is not returned. This process ensures only authorized users see sensitive data.