Hello, everyone, and welcome to this lightning talk about how to secure your GraphQL endpoints in five minutes, and we're going to be doing that using Tyke. So my name is Matt Tanner. I am a product evangelist here at Tyke, and I'm going to be walking you through this.
So getting right down to it, since we have a limited amount of time, let's look at a few problems that we're going to solve within securing GraphQL. First one is adding authorization. So authorization authentication, adding in those mechanisms quickly, securing the schema, so making sure that only specific users have access to specific fields, and then also looking at protecting us against denial of service attacks. How do we do that? Well, we have batteries included security, which is a phrase that we like to use at Tyke to say everything that's within our gateway is included. There's no plugins or anything like that, that you need to add. And for that, we're going to add that right in. Then we're going to, as part of that, put in some field-based permissions to secure the schema, and then we're going to add some query depth limiting to it as well for those denial of service attacks.
So let's see how it works. Let's just get right to it. I'm going to jump out of this. And here I am in the Tyke dashboard. What I'm going to do is first I'm going to show you what I want to secure. There's this TrevorBlades countries API, GraphQL API, that right now is completely open. And I can hit it. There's no security, no type of security at all. What I'm going to do is proxy to that through Tyke, and then secure it using Tyke. So I'm going to grab this. This is as if it was your API. You come over into Tyke and we come over to APIs. Add new API. I'm going to call it countries. It is a GraphQL API. We're going to proxy to an existing GraphQL service, and you'll see that I have the TrevorBlades countries URL in there. Now, at this point, believe it or not, we already have some authorization built in. We've now proxied to it. If I come over to the playground, which is built into Tyke, and I run, if I just hide this here, hide meeting controls. If I come over here and grab this query, and I come over back to here, and run this query, you'll see that it says authorization field is missing.
Comments