Authorization & Authentication
This page is currently under construction and expected to change. Please feel free to reach out to us directly in case you are having any troubles.
Authentication
Authentication is the process of identifying who is doing a request against your server. Rolling out your own authentication solution is a crucial and important task as any flaws can result in severe security issues.
- Auth0: We recommend using an existing third-party service such as Auth0 for most users. With the Auth0 plugin, you can simply bootstrap the authorization process.
- JSON Web Tokens (JWT): Mesh provides a plugin to easily integrate JWT token verification into your API.
- Generic Auth: In some cases using a third party auth provider is not possible. But now worries, the generic auth plugin has you covered!
Authorization
Authorization is the process of allowing or denying the authenticated (or sometimes unauthenticated) user to access information. Since GraphQL is a graph, applying authorization based on field resolvers is handy and allows fine-grained control.
Your GraphQL graph might become quite complicated over time, having a strategy for ensuring correct authorization as the graph grows is mandatory.
Most of the time this logic should be applied within your business logic that is called within your resolvers, however, for some use-cases it is possible to apply authorization rules before any execution is even happening. E.g. if we want to prevent the execution of a GraphQL operation that selects fields the viewer is not allowed to see.
- Operation Field Permissions: You can automatically reject GraphQL operations that include specific field selections within the operations selection set.