If you have existing GraphQL APIs or plan on building them in the future, join us for a 5-minute session to show you how to quickly secure them using Tyk.
Secure Your GraphQL Endpoints With Tyk in 5 Minutes
AI Generated Video Summary
This lightning talk explores how to secure GraphQL endpoints using Tyke, addressing problems such as authorization, schema security, and protection against denial of service attacks. Tyke provides comprehensive security features without the need for additional plugins. It supports various authentication modes, rate limiting, throttling, and query depth limiting. The demonstration shows how Tyke and GraphQL can easily secure APIs by adding authorization headers, restricting access to specific fields, and enforcing query depth limits.
1. Introduction to Securing GraphQL Endpoints
In this lightning talk, we will explore how to secure your GraphQL endpoints in five minutes using Tyke. We will address problems such as adding authorization, securing the schema, and protecting against denial of service attacks. Tyke provides batteries included security, eliminating the need for additional plugins. We will demonstrate the process by securing the TrevorBlades countries API through Tyke's proxy.
Hello, everyone, and welcome to this lightning talk about how to secure your GraphQL endpoints in five minutes, and we're going to be doing that using Tyke. So my name is Matt Tanner. I am a product evangelist here at Tyke, and I'm going to be walking you through this.
So getting right down to it, since we have a limited amount of time, let's look at a few problems that we're going to solve within securing GraphQL. First one is adding authorization. So authorization authentication, adding in those mechanisms quickly, securing the schema, so making sure that only specific users have access to specific fields, and then also looking at protecting us against denial of service attacks. How do we do that? Well, we have batteries included security, which is a phrase that we like to use at Tyke to say everything that's within our gateway is included. There's no plugins or anything like that, that you need to add. And for that, we're going to add that right in. Then we're going to, as part of that, put in some field-based permissions to secure the schema, and then we're going to add some query depth limiting to it as well for those denial of service attacks.
So let's see how it works. Let's just get right to it. I'm going to jump out of this. And here I am in the Tyke dashboard. What I'm going to do is first I'm going to show you what I want to secure. There's this TrevorBlades countries API, GraphQL API, that right now is completely open. And I can hit it. There's no security, no type of security at all. What I'm going to do is proxy to that through Tyke, and then secure it using Tyke. So I'm going to grab this. This is as if it was your API. You come over into Tyke and we come over to APIs. Add new API. I'm going to call it countries. It is a GraphQL API. We're going to proxy to an existing GraphQL service, and you'll see that I have the TrevorBlades countries URL in there. Now, at this point, believe it or not, we already have some authorization built in. We've now proxied to it. If I come over to the playground, which is built into Tyke, and I run, if I just hide this here, hide meeting controls. If I come over here and grab this query, and I come over back to here, and run this query, you'll see that it says authorization field is missing.
2. Securing GraphQL Endpoints
We support various authentication modes such as authentication tokens, mutual TLS, OAuth 2.0, and JOTS. To access the API, keys need to be generated and a policy created. The policy includes settings for rate limiting, throttling, and query depth limiting. Field-based permissions can be set to restrict access to specific fields. Finally, keys are added to the policy, and the GraphQL proxy playground can be accessed through the API.
That's great. That means we're already enforcing an authentication token. Where is that specified? Well, in our setup right down here. We support quite a few different things, but today we're going to use authentication tokens just for brevity. We also support mutual TLS, OAuth 2.0, JOTS, all of those good type of authentication modes.
In order to access this now, I need to generate some keys. In order to have some keys, I need to have a policy created. Let's save this. Jump over to policies, which is down here in the corner. Add policy. I'm going to cover my countries API. Come over to configurations here. I'm just going to call this countries policy. My keys that I generate are never going to expire. Then, I'm going to hop back over here to access rights, and there's a few things that we're going to do. To set per API limits and quota, I'm going to turn this on. This here would allow us to enforce rate limiting, throttling, usage quotas, all that stuff. We won't worry about that today.
What we are going to worry about here is this query depth limiting. What I'm going to do is I'm going to make my maximum query depth five. I'll demonstrate that to you in a moment here. Just with that, now that will be enforced. What I'm also going to do under field-based permissions, I'm not going to allow any of my users of this policy to access. As you can see, you can see all the types available through this API, as well as all the fields individually. I don't want them to have access to continent code or country code. Then I'm going to create policy. There we go. The policy has been created, and now I'm going to hop over to keys. I'm going to add a key for this policy, create key, and with that, my key is created. Now if I come back over to APIs, I'm going to open in a new tab, come over here and come to countries, which is our created GraphQL proxy playground.
3. Securing APIs with Tyke and GraphQL
I added an authorization header with our key to issue the query. After removing the blocked field, I ran the query and gained access to the API using the authentication token. Next, I demonstrated the restriction of code on type continent and type country. Then, I showcased the query depth limiting by running a nested query. Finally, I removed the restricted fields and received data. However, when I tried to go one level deeper and query countries' names, the depth limit was exceeded. This demonstrates how easily APIs can be secured with Tyke and our GraphQL features.
Remember again that we weren't able to issue that query. I'm going to add a request header with an authorization header that includes our key. I'm going to come back and grab our query that we had and I'll paste it in here. And now I'm just going to take out code because we blocked that field and I wanted this to work. And I'm going to run this. And as you can see, now we have access to the API. I'm using that authentication token in order to access it.
Now let's add in our code, which we don't have access to. So countries code and continent, we don't have access to these fields. What happens if I try and hit them? Code is restricted on type continent, so if I get rid of that, next my code is restricted on type country and I can take that out and away we go. And now I'll be able to do that.
And lastly, what I want to show you is I have a query here that is nested and I'm going to demonstrate that query depth limiting that we put here to enforce as well. Paste this in. As you can see, I've got some redundancies in the query. I do that. Oh, I need to come back here and run this. Am I missing another bracket? I must be. There we go. Okay. So as you can see, field code is restricted on type, continent, so let's just get rid of those quickly. Code, code, code. Now we run this and we get some data back. Now what if I go one more here and I say, countries. Can I do name and run this? Depth limit exceeded. So now you can see that at the gateway level, so without even going to that backend service, things are getting cut off and that is how easily it is to secure APIs with tyke and our GraphQL features. That's all.