Q9 of 20 · GraphQL
How do you test authorisation in GraphQL given that one query can traverse the whole graph?
GraphQLSeniorgraphqlsecurityauthorisationsenior
Short answer
Short answer: Because a single query can walk from an allowed object into nested fields, authorisation must be enforced per-field/per-object, not just at the entry point. Test that a user permitted to read an object still cannot read a protected nested field through it.
Detail
In REST, authorisation is roughly per-endpoint. In GraphQL, one query can traverse deep into the graph:
query {
order(id: "1001") { # I'm allowed to see my order
customer {
paymentMethod # ...but am I allowed to see this?
}
}
}
If authorisation is only checked at the order entry point, a user could reach sensitive nested fields they shouldn't — the classic GraphQL authz leak (and the second incident in many real post-mortems).
How to test it:
- Set up two users with different permissions and distinct data.
- Top-level test: user A cannot query user B's
orderdirectly. - Nested test (the important one): within a query user A is allowed to start (their own order), assert they cannot resolve a protected nested field — and check whether the response leaks it via
dataor correctly returns aFORBIDDENerror on thatpath. - Partial-success check: confirm the protected field comes back
nullwith a corresponding error, not silently populated.
The mindset interviewers want: authorisation is a property of every field the query touches, not just the root.
// WHAT INTERVIEWERS LOOK FOR
Field/object-level authz reasoning, designing the A-reads-B's-nested-field case, and tying it to partial-success error checking.
// COMMON PITFALL
Testing only top-level access and assuming nested fields inherit it safely — the exact gap that leaks data.