Glad you talked about how a cleverly-written request can wreak havoc... the other thing I've personally struggled with is making sure that the client is authorized to access each node in their query.
With REST-style endpoints, most of the time, you can make one check up top. And in my experience, people still get that wrong a lot of times.
But with GraphQL, because of the dynamic nature of the query, it is not so easy!
In your example query showing friends of friends of friends, you may need each node to check "is the original requestor allowed to see this particular relationship, or did this user block that user?"
Glad you talked about how a cleverly-written request can wreak havoc... the other thing I've personally struggled with is making sure that the client is authorized to access each node in their query.
With REST-style endpoints, most of the time, you can make one check up top. And in my experience, people still get that wrong a lot of times.
But with GraphQL, because of the dynamic nature of the query, it is not so easy!
In your example query showing friends of friends of friends, you may need each node to check "is the original requestor allowed to see this particular relationship, or did this user block that user?"
Great article!
Thanks! This is a great point. Maybe I'll do another article on a GraphQL authorization deep dive next...