Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Authorization in the GraphQL era by Nikolay Sverchkov "More and more teams choose GraphQL as the transport protocol for their projects. Switching the paradigm brings many benefits but comes at the price of figuring out how to deal with the well-known problems in this new world. Let’s talk about a particular one—access control organization. In this talk, I’d like to discuss the differences between graph nodes and controller actions when dealing with user permissions, the pattern of crafting authentication, and authorization in Rails applications with GraphQL API and demonstrate the options we have in our ecosystem." __________ Creative Back-end developer at Evil Martians
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the talk titled "Authorization in the GraphQL Era" by Nikolay Sverchkov, presented at RailsConf 2020 CE, the speaker addresses the challenges and methodologies surrounding access control in GraphQL applications, particularly within the Ruby on Rails environment. Sverchkov discusses the shift from traditional RESTful architectures to GraphQL and highlights the implications this shift has for user authorization. Key points of the talk include: - **Differences Between REST and GraphQL**: Sverchkov compares RESTful and GraphQL architectures, noting that GraphQL operates through a single controller for data fetching, which complicates traditional authorization approaches. - **Identification and Authorization**: He explains how user identification is typically handled with frameworks like Devise and emphasizes that while this framework works well with RESTful APIs, care must be taken when integrating it with GraphQL to avoid unnecessary complexity. - **Access Control Layers**: The speaker discusses the importance of implementing fine-grained access control in GraphQL, suggesting that roles alone are not sufficient. Using libraries such as CanCanCan or Pundit provides more robust solutions for implementing authorization. - **Use of Visibility and Policies**: Visibility functions in GraphQL can manage field-level access control, while existing frameworks like Action Policy can facilitate authorization rules without bogging down the controller layer. - **Performance Considerations**: Sverchkov touches on performance concerns, emphasizing the need for efficient data loading and caching, especially in GraphQL where users often request specific fields. - **Testing Authorization Logic**: The necessity of integrating tests for authorization logic is discussed, indicating that tests need to ensure policies are correctly enforced without becoming overly complex. The major takeaway from Sverchkov's presentation is that while GraphQL provides unique opportunities for flexible data queries, it also necessitates a reevaluation of how authorization is handled. The speaker encourages leveraging existing libraries that are familiar, while also proposing that there are many avenues for improvements and contributions within the GraphQL ecosystem. Overall, the talk serves as a guide for developers looking to navigate the nuances of implementing effective authorization in GraphQL applications.
Suggest modifications
Cancel