MockRounds Logo

GraphQL API Authorization Essentials Quiz Quiz

Assess your understanding of best practices and core concepts in implementing authorization within GraphQL APIs. This quiz covers key authorization methods, security rules, common mistakes, and effective patterns for securing your GraphQL endpoints.

  1. Authorization vs Authentication

    Which statement best describes the difference between authorization and authentication in a GraphQL API?

    1. Authorization is the process of logging in to the API.
    2. Authorization determines what actions a user can perform, while authentication verifies the user's identity.
    3. Authentication allows access to data fields, while authorization updates the schema.
    4. Authentication decides user roles, while authorization checks passwords.

    Explanation: Authorization controls access to resources and actions after a user has been authenticated, ensuring only permitted users can perform specific operations. Authentication just proves the user's identity. The statement about deciding user roles and passwords confuses the two concepts. Logging in is authentication, not authorization. Updating the schema is unrelated to either concept.

  2. Field-Level Authorization

    Why might you want to implement field-level authorization in a GraphQL API?

    1. To restrict access to specific parts of data based on user permissions.
    2. To reduce network traffic during introspection queries.
    3. To speed up database migrations.
    4. To enforce API rate limiting for all endpoints.

    Explanation: Field-level authorization lets you limit access to certain fields within a type, ensuring users can only see or change data they are allowed to. This is important for sensitive data. Field-level authorization does not inherently optimize network traffic, aid in database migrations, or control rate limiting, which are different concerns.

  3. Common Authorization Pattern

    What is a common pattern for enforcing authorization in a GraphQL resolver function?

    1. Automatically grant full access to all query fields.
    2. Check user permissions at the start of the resolver and return an error if unauthorized.
    3. Run a mutation before checking permissions.
    4. Apply authorization rules only in the schema definition.

    Explanation: Validating permissions as soon as the resolver starts avoids leaking data or performing unwanted actions. Running a mutation first could result in unauthorized changes. Automatically granting access is insecure. Relying solely on schema definitions misses runtime context crucial for authorization.

  4. Role-Based Access Control (RBAC)

    What does Role-Based Access Control (RBAC) enable in a GraphQL API?

    1. Storing authentication tokens within the schema.
    2. Granting permissions based on assigned user roles such as 'admin' or 'user'.
    3. Assigning different API endpoints to HTTP methods.
    4. Automatically validating GraphQL document syntax.

    Explanation: RBAC lets you assign roles to users and define which roles can access which resources or perform specific actions. Assigning API endpoints to HTTP methods is not related to RBAC. Syntax validation is a parser's job, not RBAC. Storing tokens in schemas is insecure and unnecessary.

  5. Using Directives for Authorization

    How can custom directives help enforce authorization rules within a GraphQL API?

    1. By filtering out introspection queries from clients.
    2. By removing the need for user authentication.
    3. By marking schema fields with metadata that triggers authorization checks during query execution.
    4. By generating new endpoints for every role.

    Explanation: Custom directives can annotate fields to signal that authorization logic should run when those fields are accessed. They do not create new endpoints or bypass authentication. Filtering introspection is unrelated to the purpose of directives.

  6. Authorization in Mutations

    Why is it important to perform authorization checks in GraphQL mutations?

    1. Because mutations always execute before resolvers.
    2. Because mutations are only accessible by administrators.
    3. Because mutations can modify or delete sensitive data, requiring careful permission checks.
    4. Because queries never return sensitive data.

    Explanation: Mutations may allow changes to important data, so ensuring only authorized users can perform them is crucial. Mutations are not guaranteed to run before resolvers; queries can also return sensitive data, so that statement is inaccurate. Non-administrators may also use mutations, depending on permissions.

  7. Authorization Errors

    When a user makes an unauthorized request, what is the recommended behavior for a GraphQL API?

    1. Return a clear authorization error message and avoid disclosing sensitive information.
    2. Return a syntax error.
    3. Close the database connection immediately.
    4. Return the requested data anyway.

    Explanation: Best practice is to send an informative error indicating a lack of authorization, while not revealing internal details. Returning the data violates security principles. Closing database connections is unnecessary and unrelated. Syntax errors are specific to query structure, not permissions.

  8. Authorization Middleware

    What is the purpose of using middleware for authorization in a GraphQL API server?

    1. To check user permissions before executing resolvers and prevent unauthorized actions.
    2. To format GraphQL queries for readability.
    3. To cache all resolver outputs for future requests.
    4. To patch the schema with temporary fields.

    Explanation: Middleware allows centralized permission checks before any resolver is run, improving security and maintainability. Formatting queries, patching schemas, or caching outputs do not relate to authorization controls.

  9. Default Access Control

    What is a safe default approach for access control in a GraphQL API?

    1. Deny access by default and only grant permissions explicitly.
    2. Randomly assign permissions to new users.
    3. Grant permissions temporarily and review them later.
    4. Allow access by default to reduce user friction.

    Explanation: A 'deny-by-default' stance ensures users can only access resources they are clearly granted, minimizing risks of accidental exposure. Allowing access by default is unsafe. Temporary grants and random assignments ignore best practices and lead to confusion or vulnerabilities.

  10. Authorization Context

    How is the user’s authorization context typically passed and accessed in GraphQL resolver functions?

    1. Authorization context is embedded inside the GraphQL schema’s type definitions.
    2. It is injected into the query string by clients.
    3. Resolvers retrieve authorization context by calling an HTTP endpoint per field.
    4. It is included in the context object provided to each resolver for every request.

    Explanation: The context object is designed to carry user information, tokens, and related authorization details needed during request handling. Fetching context per-field is inefficient. Embedding such information in type definitions is not scalable. Injecting data into query strings is insecure and incorrect.

  11. Scalability and Authorization Logic

    What technique can help keep authorization logic scalable and maintainable in larger GraphQL APIs?

    1. Embedding raw SQL directly into resolvers for permissions.
    2. Encapsulating authorization checks in reusable helper functions or modules.
    3. Skipping checks on less-critical types.
    4. Duplicating checks in every resolver manually.

    Explanation: Reusable helpers centralize authorization rules for consistency and easier changes across the codebase. Duplicating checks leads to errors and maintenance headaches. Skipping checks opens security holes. Embedding raw SQL in resolvers conflates concerns and is unsafe.

  12. Authorization in Subscriptions

    Why must authorization checks be performed both when initializing and during the lifetime of a subscription in GraphQL?

    1. Because only public data is broadcast via subscriptions.
    2. Because subscriptions are authenticated automatically by the server.
    3. Because subscriptions cannot access the context object.
    4. Because user permissions may change after the subscription starts, requiring ongoing verification.

    Explanation: Since a user's access level might change while a subscription is active, repeated authorization checks prevent unauthorized data exposure. Context objects are generally accessible. Not all subscriptions are for public data. The server does not guarantee automatic authentication for subscriptions.

  13. Introspection and Security

    What is a potential risk of exposing the entire schema through introspection in a GraphQL API with authorization controls?

    1. All network requests become encrypted by default.
    2. Resolvers fail to execute unless introspection is disabled.
    3. Sensitive field names and types could be revealed to unauthorized users.
    4. Introspection queries use more bandwidth than normal queries.

    Explanation: Introspection can disclose details about your schema, revealing internal models or fields that should be hidden. Encryption and bandwidth concerns are unrelated to introspection itself. Introspection does not cause resolver failures.

  14. Owner-Based Authorization

    Which scenario best demonstrates owner-based authorization in a GraphQL API?

    1. Disabling authentication for all endpoints.
    2. Allowing all users to update any resource in the API.
    3. Allowing users to edit only their own profile data, but not others'.
    4. Giving all users admin access by default.

    Explanation: Owner-based authorization limits access or actions to users who 'own' a resource, such as their own data. Allowing updates to any resource, disabling authentication, or giving admin to all are insecure and do not represent owner-based control.

  15. Least Privilege Principle

    How does the least privilege principle apply to designing authorization for a GraphQL API?

    1. New users should receive all possible permissions initially.
    2. Privilege levels should remain static and unchangeable.
    3. All actions should be anonymous by default.
    4. Each user or role should have only those permissions absolutely necessary to perform required tasks.

    Explanation: The least privilege model is about restricting permissions to only those strictly needed, reducing risk. Granting all permissions, making everything anonymous, or not updating privilege levels violates security best practices.

  16. Security Pitfalls

    What is a common mistake that can lead to authorization bypass vulnerabilities in GraphQL APIs?

    1. Validating all input types strictly.
    2. Returning concise error messages for unauthorized access.
    3. Forgetting to enforce authorization checks inside resolver functions.
    4. Structuring the API schema with clear type names.

    Explanation: Omitting checks in resolvers leaves gaps through which attackers can access or modify data they should not. Strict input validation, clear type names, and concise unauthorized error messages are actually positive security practices and do not create bypass issues.

mockrounds.com Learn • Practice • Evaluate