Secure Your GraphQL Endpoints With Tyk in 5 Minutes

Hello, everyone, and welcome to this lightning talk about how to secure your GraphQL endpoints in five minutes, and we're going to be doing that using Tyke. So my name is Matt Tanner. I am a product evangelist here at Tyke, and I'm going to be walking you through this.

So getting right down to it, since we have a limited amount of time, let's look at a few problems that we're going to solve within securing GraphQL. First one is adding authorization. So authorization authentication, adding in those mechanisms quickly, securing the schema, so making sure that only specific users have access to specific fields, and then also looking at protecting us against denial of service attacks. How do we do that? Well, we have batteries included security, which is a phrase that we like to use at Tyke to say everything that's within our gateway is included. There's no plugins or anything like that, that you need to add. And for that, we're going to add that right in. Then we're going to, as part of that, put in some field-based permissions to secure the schema, and then we're going to add some query depth limiting to it as well for those denial of service attacks.

So let's see how it works. Let's just get right to it. I'm going to jump out of this. And here I am in the Tyke dashboard. What I'm going to do is first I'm going to show you what I want to secure. There's this TrevorBlades countries API, GraphQL API, that right now is completely open. And I can hit it. There's no security, no type of security at all. What I'm going to do is proxy to that through Tyke, and then secure it using Tyke. So I'm going to grab this. This is as if it was your API. You come over into Tyke and we come over to APIs. Add new API. I'm going to call it countries. It is a GraphQL API. We're going to proxy to an existing GraphQL service, and you'll see that I have the TrevorBlades countries URL in there. Now, at this point, believe it or not, we already have some authorization built in. We've now proxied to it. If I come over to the playground, which is built into Tyke, and I run, if I just hide this here, hide meeting controls. If I come over here and grab this query, and I come over back to here, and run this query, you'll see that it says authorization field is missing.

That's great. That means we're already enforcing an authentication token. Where is that specified? Well, in our setup right down here. We support quite a few different things, but today we're going to use authentication tokens just for brevity. We also support mutual TLS, OAuth 2.0, JOTS, all of those good type of authentication modes.

In order to access this now, I need to generate some keys. In order to have some keys, I need to have a policy created. Let's save this. Jump over to policies, which is down here in the corner. Add policy. I'm going to cover my countries API. Come over to configurations here. I'm just going to call this countries policy. My keys that I generate are never going to expire. Then, I'm going to hop back over here to access rights, and there's a few things that we're going to do. To set per API limits and quota, I'm going to turn this on. This here would allow us to enforce rate limiting, throttling, usage quotas, all that stuff. We won't worry about that today.

What we are going to worry about here is this query depth limiting. What I'm going to do is I'm going to make my maximum query depth five. I'll demonstrate that to you in a moment here. Just with that, now that will be enforced. What I'm also going to do under field-based permissions, I'm not going to allow any of my users of this policy to access. As you can see, you can see all the types available through this API, as well as all the fields individually. I don't want them to have access to continent code or country code. Then I'm going to create policy. There we go. The policy has been created, and now I'm going to hop over to keys. I'm going to add a key for this policy, create key, and with that, my key is created. Now if I come back over to APIs, I'm going to open in a new tab, come over here and come to countries, which is our created GraphQL proxy playground.

Remember again that we weren't able to issue that query. I'm going to add a request header with an authorization header that includes our key. I'm going to come back and grab our query that we had and I'll paste it in here. And now I'm just going to take out code because we blocked that field and I wanted this to work. And I'm going to run this. And as you can see, now we have access to the API. I'm using that authentication token in order to access it.

Now let's add in our code, which we don't have access to. So countries code and continent, we don't have access to these fields. What happens if I try and hit them? Code is restricted on type continent, so if I get rid of that, next my code is restricted on type country and I can take that out and away we go. And now I'll be able to do that.

And lastly, what I want to show you is I have a query here that is nested and I'm going to demonstrate that query depth limiting that we put here to enforce as well. Paste this in. As you can see, I've got some redundancies in the query. I do that. Oh, I need to come back here and run this. Am I missing another bracket? I must be. There we go. Okay. So as you can see, field code is restricted on type, continent, so let's just get rid of those quickly. Code, code, code. Now we run this and we get some data back. Now what if I go one more here and I say, countries. Can I do name and run this? Depth limit exceeded. So now you can see that at the gateway level, so without even going to that backend service, things are getting cut off and that is how easily it is to secure APIs with tyke and our GraphQL features. That's all.