Do APIs, not security in your GraphQL
I can’t remember the last time I was excited about a new technology like I am with GraphQL. I don’t think there is anything I don’t like about it- at least not yet! I have not been leveraging it every day as my job so keep that in mind, however I believe that the whole strategy is fantastic.
Having a schema at play, and having adjustable API calls on demand are so key to having applications efficiently take advantage of those calls. It gives developers freedom and the ability to play around with different data sets very easily, allowing for efficient traffic over the wire, and also limiting superfluous parsing of data that would not be used anyway in the application that requested the data from the API in the first place.
There are a few GraphQL implementations that I’ve seen that are really neat. I recently have been playing with Hasura. It is an open source GraphQL engine being built and managed under CEO Tanmai Gopal that I saw recently at API world in San Jose. They have a docker implementation of the Hasura GraphQL engine that works with a Postgres database. Following the instructions I was able to get it up and running in a matter of minutes, and I was able to create tables in the Postgres DB and perform GraphQL queries using the embedded test tool.
Although you can build in some security into a GraphQL implementation, I can’t help but see it as a weak feature to satisfy a broad requirement that really requires a lot more thought than providing an API key or some other trivial aspect in order to access the API.
Your GraphQL APIs will be exploited easily if not protected properly, and that includes leveraging TLS, OAuth tokens with short lived lifespans, and rate limiting (at the least) on inbound connections. You can leverage IP whitelisting and Mutually Authenticated SSL on the back end which will help mitigate last mile risk.
My recommendation is to front your GraphQL APIs with a gateway that can provide and validate tokens, provide encryption for data in flight, and authenticate and authorize access with your enterprise security identity providers to ensure your APIs are feeding the proper people the proper data.
I can’t wait to play with more GraphQL!