Advanced GraphQL, v2

Advanced GraphQL, v2 Custom Directives Solution: Authorization & Authentication

Learning Paths:
Check out a free preview of the full Advanced GraphQL, v2 course:
The "Custom Directives Solution: Authorization & Authentication" Lesson is part of the full, Advanced GraphQL, v2 course featured in this preview video. Here's what you'd learn in this lesson:

Scott live codes the second part of the solution to the custom directives exercise by adding authentication and authorization directives to the schema, and explains that using authorization directives can lead to cleaner code than if the code was written using subscriptions.

Get Unlimited Access Now

Transcript from the "Custom Directives Solution: Authorization & Authentication" Lesson

[00:00:03]
>> So let's do that. We can make two directives or we can make one directive. I think I'll make two so I can show you how you can use two directives in combination with each other on one field, cuz I think it will be really cool, cuz I didn't talk about that.

[00:00:15] So we'll make one for authentication directive That extends the schema direct the visitor I'm just gonna copy that and make another one down here for authorization directive. [SOUND] Okay, and we're going to visit the field definition here. We're going to get the field for authentication, we know the strategy is grab the user from the context.

[00:00:46] If the user is not there, throw an error. That's what we did. It's exactly what we're going to do. So we're going to say, resolver is going to equal field.resolve or it's going to equal the default resolver. And then we're going to say, field.resolve = async function, really get the route.

[00:01:08] We don't really care about the args here. We do care about the context though. The content is what we're interested in, we're interested in user, so I'm actually, I'm just gonna say just give me context and then give me info. Cool. So then I'm gonna do the same thing I did an all file.

[00:01:25] So I can go copy that actually, I'm gonna all file and I could literally just copy that, we'll copy that. Come back over here. Spill, that. And I can say if not context.user throw authentication error. Make sure I import that up top here. There we go. So I'm just gonna throw an authentication error instead of returning next.

[00:01:48] I'm just going to return resolver. And that should be ctx. And that should also be cx, I following you that stream is the exact same code regardless get the role here, role is going to be this arcs. There we go. So basically it's the same thing here. So filled out, resolve If not context, if context that user role does not equal role than wrong role, right?

[00:02:33] So you're not going to get in here and then we're going to return the resolver, cool. And obviously the export these things, cool. Authorization, authentication, Awesome, and go back to our typedefs. Let's do some directive things here. directive, and we'll say authentication Authorization. Cool. And authentication doesn't take any arguments, and it's on a field definition.

[00:03:21] Author of these others isn't does take an argument takes a role which is type row. And that's required. And that's going to be on a field definition.
>> You get a default?
>> Yeah, you can get a default you can say like I don't know, like me, like that.

[00:03:45] Do you want to default admin or member, whatever you want to do, but yeah, you can give to default. Cool. So we require that, that looks good. We need to, add them on our index. So we got the FormatDateDirective. We also need the dedication directive and the Authorization directive.

[00:04:16] We had to say authentication. Is the dedication and then authorization key. There we go, authorization director. Cool. All that looks good. Let's just make sure this didn't break while we're moving along. Cool guy looks good but nothing breaks. And now you gotta do is just add them wherever you want so these are field definitions, so queries are types and they have filter so you can add them here.

[00:04:52] So if I wanted to get me, I will had to say you need to be authentication here, where's that one worse you had to invite so if I invite, you also had to be authentication and you also have to be authorization. I should rename those of us. Those are not good names.

[00:05:14] Authentic kated and authorized. That's a lot better. Let's do that.Dedicated and authorized, cool. So yeah, you need to be, got put that out. Where did you go? there we go so authenticated, like that. And then down here you also have to be authenticated and authorize and you can pass in a roll here to be whatever you want.

[00:05:50] So you can just put these side by side like that. Pretty cool, right? All right, so let's see, unknown directive authentication, where am I still using that?
>> Couple lines up, 94.
>> I could have swore I change that. Cool, there we go. Refresh this. And now if I do the, and just to verify if I go to my resolvers I'm pretty sure I don't have any of those authentication things on there.

[00:06:23] Yeah, I don't, I have any any of those wrappers that you might have had. So if it errors out because it's authentication is definitely direct us and not the resolvers. So if I say cool, let me get me. Can ID, kind of property role of no role.
>> On the take off, the director has to authorize instead of the authenticated.

[00:06:52]
>> This one right here. Yeah, you are right, it's already authenticated. Thank you. It's like, I don't know why it's looking for a role there, that's strange. Cool, not off. So it totally works. Let's do a sign up really quick just to get a token going. So I think I might already have one.

[00:07:12] I don't Bet I got one copied in here somewhere. Come on. There's one! Look at there. Let's copy that. Let's pray that still works. [LAUGH] I'll have to sign up again. So authorization. It still works. It gotta load. It's good old JDLT. So cool, that works. And now if we try to do like the invite one, [INAUDIBLE] know that's I'm sure that's an admin so I would definitely have to sign out.

[00:07:49] So kind of [INAUDIBLE] this time. Mutation, Signup, auth SignupInput, like that. Signup, Input, auth, give it a token, it's all I care about and, like all thing here like the email, age.com and the password of pass and a row of member. Cool, so we did that get back to this token here.

[00:08:29] All right, and then we'll try and do an invite here.
>> You missed an E on the front of it, [COUGH]
>> Thank you. I'll get that token there, do a mutation here for an invite, which takes an input and an email, whatever. And the role of Doesn't matter and then we'll try to get this here.

[00:08:54] And our QUERY VARIABLES are HTTP HEADERS. Authorization and our token here wrong role. So, works out pretty good. Now, if I change this to this one or this one would I'm assuming this is an admin. I don't know, this and this very well might not be an admin token.

[00:09:18] I have no clue. But let's find out. Paste that in there. Yeah, that works. And that's how you do authentication directives. Pretty easily. It's basically the same code we already wrote. And, you know, I'll leave up to you. What do you think is cleaner? Ryan stuff like this?

[00:09:37] Or wrapping all your resolvers? I don't know. You tell me. This is way cleaner. Any questions?
>> Yeah.
>> So this is at a field level, right? So if I read a query that doesn't include that field does that mean I could still get data from that query?

[00:09:53]
>> If you write a query that doesn't include that, Phil? Well, I did. I placed these on the field on the query, these are on queries and mutations.
>> So if I, offer me, got it, okay. That makes sense.
>> Yeah, yeah, so you should be good. I mean, you can also put them on fields on a tight.

[00:10:14]
>> This is what I did initially.
>> Yeah, yeah you can do that too. Yeah, you could totally do that. Like there's like, you know,
>> You can have all this stuff except for this one field right here because only admins can see it. So we're gonna make that authorized to be role admin, something like that.