Secure Your GraphQL Endpoints With Tyk in 5 Minutes

Rate this content

If you have existing GraphQL APIs or plan on building them in the future, join us for a 5-minute session to show you how to quickly secure them using Tyk.

8 min
02 Jul, 2021

Video Summary and Transcription

This lightning talk explores how to secure GraphQL endpoints using Tyke, addressing problems such as authorization, schema security, and protection against denial of service attacks. Tyke provides comprehensive security features without the need for additional plugins. It supports various authentication modes, rate limiting, throttling, and query depth limiting. The demonstration shows how Tyke and GraphQL can easily secure APIs by adding authorization headers, restricting access to specific fields, and enforcing query depth limits.

Available in Español

1. Introduction to Securing GraphQL Endpoints

Short description:

In this lightning talk, we will explore how to secure your GraphQL endpoints in five minutes using Tyke. We will address problems such as adding authorization, securing the schema, and protecting against denial of service attacks. Tyke provides batteries included security, eliminating the need for additional plugins. We will demonstrate the process by securing the TrevorBlades countries API through Tyke's proxy.

Hello, everyone, and welcome to this lightning talk about how to secure your GraphQL endpoints in five minutes, and we're going to be doing that using Tyke. So my name is Matt Tanner. I am a product evangelist here at Tyke, and I'm going to be walking you through this.

So getting right down to it, since we have a limited amount of time, let's look at a few problems that we're going to solve within securing GraphQL. First one is adding authorization. So authorization authentication, adding in those mechanisms quickly, securing the schema, so making sure that only specific users have access to specific fields, and then also looking at protecting us against denial of service attacks. How do we do that? Well, we have batteries included security, which is a phrase that we like to use at Tyke to say everything that's within our gateway is included. There's no plugins or anything like that, that you need to add. And for that, we're going to add that right in. Then we're going to, as part of that, put in some field-based permissions to secure the schema, and then we're going to add some query depth limiting to it as well for those denial of service attacks.

So let's see how it works. Let's just get right to it. I'm going to jump out of this. And here I am in the Tyke dashboard. What I'm going to do is first I'm going to show you what I want to secure. There's this TrevorBlades countries API, GraphQL API, that right now is completely open. And I can hit it. There's no security, no type of security at all. What I'm going to do is proxy to that through Tyke, and then secure it using Tyke. So I'm going to grab this. This is as if it was your API. You come over into Tyke and we come over to APIs. Add new API. I'm going to call it countries. It is a GraphQL API. We're going to proxy to an existing GraphQL service, and you'll see that I have the TrevorBlades countries URL in there. Now, at this point, believe it or not, we already have some authorization built in. We've now proxied to it. If I come over to the playground, which is built into Tyke, and I run, if I just hide this here, hide meeting controls. If I come over here and grab this query, and I come over back to here, and run this query, you'll see that it says authorization field is missing.

2. Securing GraphQL Endpoints

Short description:

We support various authentication modes such as authentication tokens, mutual TLS, OAuth 2.0, and JOTS. To access the API, keys need to be generated and a policy created. The policy includes settings for rate limiting, throttling, and query depth limiting. Field-based permissions can be set to restrict access to specific fields. Finally, keys are added to the policy, and the GraphQL proxy playground can be accessed through the API.

That's great. That means we're already enforcing an authentication token. Where is that specified? Well, in our setup right down here. We support quite a few different things, but today we're going to use authentication tokens just for brevity. We also support mutual TLS, OAuth 2.0, JOTS, all of those good type of authentication modes.

In order to access this now, I need to generate some keys. In order to have some keys, I need to have a policy created. Let's save this. Jump over to policies, which is down here in the corner. Add policy. I'm going to cover my countries API. Come over to configurations here. I'm just going to call this countries policy. My keys that I generate are never going to expire. Then, I'm going to hop back over here to access rights, and there's a few things that we're going to do. To set per API limits and quota, I'm going to turn this on. This here would allow us to enforce rate limiting, throttling, usage quotas, all that stuff. We won't worry about that today.

What we are going to worry about here is this query depth limiting. What I'm going to do is I'm going to make my maximum query depth five. I'll demonstrate that to you in a moment here. Just with that, now that will be enforced. What I'm also going to do under field-based permissions, I'm not going to allow any of my users of this policy to access. As you can see, you can see all the types available through this API, as well as all the fields individually. I don't want them to have access to continent code or country code. Then I'm going to create policy. There we go. The policy has been created, and now I'm going to hop over to keys. I'm going to add a key for this policy, create key, and with that, my key is created. Now if I come back over to APIs, I'm going to open in a new tab, come over here and come to countries, which is our created GraphQL proxy playground.

3. Securing APIs with Tyke and GraphQL

Short description:

I added an authorization header with our key to issue the query. After removing the blocked field, I ran the query and gained access to the API using the authentication token. Next, I demonstrated the restriction of code on type continent and type country. Then, I showcased the query depth limiting by running a nested query. Finally, I removed the restricted fields and received data. However, when I tried to go one level deeper and query countries' names, the depth limit was exceeded. This demonstrates how easily APIs can be secured with Tyke and our GraphQL features.

Remember again that we weren't able to issue that query. I'm going to add a request header with an authorization header that includes our key. I'm going to come back and grab our query that we had and I'll paste it in here. And now I'm just going to take out code because we blocked that field and I wanted this to work. And I'm going to run this. And as you can see, now we have access to the API. I'm using that authentication token in order to access it.

Now let's add in our code, which we don't have access to. So countries code and continent, we don't have access to these fields. What happens if I try and hit them? Code is restricted on type continent, so if I get rid of that, next my code is restricted on type country and I can take that out and away we go. And now I'll be able to do that.

And lastly, what I want to show you is I have a query here that is nested and I'm going to demonstrate that query depth limiting that we put here to enforce as well. Paste this in. As you can see, I've got some redundancies in the query. I do that. Oh, I need to come back here and run this. Am I missing another bracket? I must be. There we go. Okay. So as you can see, field code is restricted on type, continent, so let's just get rid of those quickly. Code, code, code. Now we run this and we get some data back. Now what if I go one more here and I say, countries. Can I do name and run this? Depth limit exceeded. So now you can see that at the gateway level, so without even going to that backend service, things are getting cut off and that is how easily it is to secure APIs with tyke and our GraphQL features. That's all.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
We all love GraphQL, but it can be daunting to get a server up and running and keep your code organized, maintainable, and testable over the long term. No more! Come watch as I go from an empty directory to a fully fledged GraphQL API in minutes flat. Plus, see how easy it is to use and create directives to clean up your code even more. You're gonna love GraphQL even more once you make things Redwood Easy!
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
How many times did you implement the same flow in your application: check, if data is already fetched from the server, if yes - render the data, if not - fetch this data and then render it? I think I've done it more than ten times myself and I've seen the question about this flow more than fifty times. Unfortunately, our go-to state management library, Vuex, doesn't provide any solution for this.For GraphQL-based application, there was an alternative to use Apollo client that provided tools for working with the cache. But what if you use REST? Luckily, now we have a Vue alternative to a react-query library that provides a nice solution for working with server cache. In this talk, I will explain the distinction between local application state and local server cache and do some live coding to show how to work with the latter.
GraphQL Galaxy 2022GraphQL Galaxy 2022
16 min
Step aside resolvers: a new approach to GraphQL execution
Though GraphQL is declarative, resolvers operate field-by-field, layer-by-layer, often resulting in unnecessary work for your business logic even when using techniques such as DataLoader. In this talk, Benjie will introduce his vision for a new general-purpose GraphQL execution strategy whose holistic approach could lead to significant efficiency and scalability gains for all GraphQL APIs.

Workshops on related topic

GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Top Content
Featured WorkshopFree
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
React Advanced Conference 2022React Advanced Conference 2022
95 min
End-To-End Type Safety with React, GraphQL & Prisma
Featured WorkshopFree
In this workshop, you will get a first-hand look at what end-to-end type safety is and why it is important. To accomplish this, you’ll be building a GraphQL API using modern, relevant tools which will be consumed by a React client.
Prerequisites: - Node.js installed on your machine (12.2.X / 14.X)- It is recommended (but not required) to use VS Code for the practical tasks- An IDE installed (VSCode recommended)- (Good to have)*A basic understanding of Node.js, React, and TypeScript
GraphQL Galaxy 2022GraphQL Galaxy 2022
112 min
GraphQL for React Developers
Featured Workshop
There are many advantages to using GraphQL as a datasource for frontend development, compared to REST APIs. We developers in example need to write a lot of imperative code to retrieve data to display in our applications and handle state. With GraphQL you cannot only decrease the amount of code needed around data fetching and state-management you'll also get increased flexibility, better performance and most of all an improved developer experience. In this workshop you'll learn how GraphQL can improve your work as a frontend developer and how to handle GraphQL in your frontend React application.
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
GraphQL Galaxy 2020GraphQL Galaxy 2020
106 min
Relational Database Modeling for GraphQL
Top Content
In this workshop we'll dig deeper into data modeling. We'll start with a discussion about various database types and how they map to GraphQL. Once that groundwork is laid out, the focus will shift to specific types of databases and how to build data models that work best for GraphQL within various scenarios.
Table of contentsPart 1 - Hour 1      a. Relational Database Data Modeling      b. Comparing Relational and NoSQL Databases      c. GraphQL with the Database in mindPart 2 - Hour 2      a. Designing Relational Data Models      b. Relationship, Building MultijoinsTables      c. GraphQL & Relational Data Modeling Query Complexities
Prerequisites      a. Data modeling tool. The trainer will be using dbdiagram      b. Postgres, albeit no need to install this locally, as I'll be using a Postgres Dicker image, from Docker Hub for all examples      c. Hasura
GraphQL Galaxy 2021GraphQL Galaxy 2021
48 min
Building GraphQL APIs on top of Ethereum with The Graph
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, and other blockchains. Anyone can build and publish open APIs, called subgraphs, making data easily accessible.

In this workshop you’ll learn how to build a subgraph that indexes NFT blockchain data from the Foundation smart contract. We’ll deploy the API, and learn how to perform queries to retrieve data using various types of data access patterns, implementing filters and sorting.

By the end of the workshop, you should understand how to build and deploy performant APIs to The Graph to index data from any smart contract deployed to Ethereum.