00:00:09.209
hello everyone to start off I want to
00:00:12.309
say thanks to yours who donate our
00:00:15.250
unusual conference I hope you can enjoy
00:00:18.820
the stock sitting on your couch actually
00:00:22.029
who knows maybe this force of constraint
00:00:23.880
will become my stimulus for evolution
00:00:27.189
and we will get a new and interesting
00:00:30.189
conferences format because video is the
00:00:33.430
limitless source of opportunity as the
00:00:36.640
drop was ahead we can overcome
00:00:38.260
restriction and quickly move to the
00:00:40.870
original planet conferences when you to
00:00:44.320
the Portland OR we can have a
00:00:47.199
conversation with a famous person from
00:00:50.019
the Ruby community for example we can
00:00:52.929
call Aaron Patterson and ask heron what
00:00:57.219
do you think about Graff
00:00:58.239
characterization
00:00:59.760
Aaron is super friendly and 100% sure he
00:01:04.030
will not refuse us yeah the possibility
00:01:07.450
of online world is truly endless and
00:01:10.060
platform like tick tock proves that
00:01:12.909
people have immense creativity
00:01:15.280
however this is one of our first attempt
00:01:18.880
and we didn't have long to prepare and
00:01:22.840
record how video so I'm going to limit
00:01:25.990
this to a couple of opening slide with
00:01:29.380
my face so lets me introduce myself my
00:01:34.960
name is Nikolai Tsvetkov and I am
00:01:37.240
creative back-end engineer at your
00:01:40.000
emotions we are engaged in product
00:01:43.660
development and help companies such as
00:01:46.330
eBay Fontaine or to you to growth their
00:01:51.940
products we are open source fans and I
00:01:56.620
think you have heard about our front-end
00:01:59.590
libraries such as after prefix ER or
00:02:03.450
processes rubygems
00:02:06.580
like any cable or test proof also we
00:02:10.989
start working on blockchain open source
00:02:13.599
and now we're development Astro graph
00:02:15.790
which is graphical interface for stellar
00:02:18.780
for more information you can visit our
00:02:23.050
website evil Marcia illegal Martians
00:02:26.200
calm as for me I am from Tatarstan and
00:02:30.400
this is a place in Russia you might
00:02:33.400
never heard of typically I might say the
00:02:36.820
phrase come to me after the talk and
00:02:39.580
I'll give you a cool stickers with evil
00:02:42.250
Martian in national costume from the
00:02:44.260
place where I live but Ellis we have to
00:02:48.370
wait a little for this ok enough about
00:02:51.580
me let's move to the topic of the talk
00:02:55.350
it's good form for the speaker to
00:02:58.000
briefly go over they talk on their
00:02:59.800
vision I know that sometimes when people
00:03:02.380
seek Rockwell the title they think ok
00:03:06.130
yeah the speaker will try to sell me
00:03:08.440
graphic well again and tell me how
00:03:10.510
amazing it is but that is not why we are
00:03:13.660
here today I would like to stick to the
00:03:16.150
basic concepts since of going into a
00:03:18.520
detailed introduction to the technology
00:03:21.420
sometimes I doubt the benefits of graph
00:03:24.760
coil because I see a lot of hype around
00:03:27.270
stick not sure but and only few things
00:03:31.390
it's extremely difficult to design a
00:03:34.209
good graphical API I thought that the
00:03:37.209
best way to share my experience with
00:03:39.400
gargoyle authorization is to show a
00:03:41.800
comparison of growl with something that
00:03:44.260
you all know rest water ization and I'm
00:03:46.989
going to provide specific example of
00:03:49.209
them too to begin let's remember what
00:03:52.750
restful is on this slide you can see the
00:03:56.140
standard rails application architecture
00:03:58.989
on the left side is the user on the
00:04:02.020
right side is our data and layer for
00:04:04.780
interacting with it use this data or
00:04:07.630
simple boot active record and in the
00:04:10.360
middle we can see a bell for connecting
00:04:12.790
the user and data
00:04:14.410
this is architecture that Ruby on Rails
00:04:16.660
provides out the box and as I said in
00:04:20.410
the last year's conference in st.
00:04:22.300
Petersburg I'm a huge fan of ghh and I
00:04:25.150
think rails is really great framework
00:04:27.550
but rails is just a skeleton for your on
00:04:32.289
our project
00:04:33.870
almost always we need more for example
00:04:36.780
let's imagine that we have multi-tenant
00:04:38.850
application and somehow we need to
00:04:40.710
control those two specific resources in
00:04:44.130
this case we will have to add to the
00:04:46.890
restful api another layer and assess
00:04:49.290
control there so what is restful a
00:04:51.600
restful is a software architecture style
00:04:54.030
that defines a set of constraints to be
00:04:55.800
used for creating web services okay but
00:04:59.250
what is graph well graph QL is a query
00:05:02.010
language for APS and runtime for for
00:05:04.470
things queries with your existing data
00:05:07.190
yeah comparing language and architecture
00:05:11.010
style sounds like a terrible idea
00:05:13.220
to fix this we are going to introduce
00:05:15.810
the next architecture graphic will rails
00:05:18.410
application we see in the slide the user
00:05:21.930
and his data as we saw in previous
00:05:23.580
slides and something new for us in the
00:05:27.450
middle if you have never seen graph coil
00:05:29.850
project before you may be surprised and
00:05:32.760
in this picture there was only one
00:05:34.800
controller and one road it might be
00:05:37.350
strange but it's true trust to our
00:05:40.700
usually we'll see the control folder we
00:05:44.220
only have one action with a code similar
00:05:47.520
to this the whole logic of fetching and
00:05:50.490
manipulating data move through another
00:05:52.830
place it sounds like a call graph well
00:05:55.350
internals and so what is graphical
00:05:57.630
internals in a global sense we have one
00:06:00.120
huge class which is called graph call
00:06:03.270
schema schema has one executed method
00:06:05.910
which takes query and parents from
00:06:09.750
request and just executed schema inside
00:06:12.810
consists of two things types and
00:06:15.090
mutations this when
00:06:16.920
types are responsible for in operations
00:06:18.630
and mutations which implement create
00:06:21.660
update and destroy actions who look a
00:06:24.660
little closer the sections are
00:06:26.760
implemented through specific Ruby
00:06:28.590
classes for example we can request the
00:06:31.860
user and his profile or we can request
00:06:35.190
the user his post and comments of the
00:06:38.520
sports or to try to add a comment you
00:06:41.220
can see is that all these actions are
00:06:43.590
interconnected and
00:06:45.390
our what yeah you alright this is a
00:06:48.150
graph so yeah and this is all an
00:06:51.840
introduction to graph well what I wanted
00:06:55.020
to give you so our main question is how
00:06:58.110
do we implement an access control layer
00:07:00.810
for graphical rails application it's
00:07:03.180
possible to reuse approaches from the
00:07:05.430
standard application and if not what we
00:07:08.100
need to do we are going to start with a
00:07:10.110
basic concept of identification
00:07:12.270
what is identification Ounces education
00:07:15.990
is an act of proving identity of the
00:07:19.020
user or more simply
00:07:20.960
determinating which user is currently
00:07:22.890
working with the system to implement
00:07:25.370
education we usually use frameworks such
00:07:28.650
as device which has many read made
00:07:31.410
function out of the box the question is
00:07:34.350
how do we use the framework and this
00:07:36.840
framework with the up quayle fully for
00:07:39.660
example we implement all device actions
00:07:41.760
such as like you know layout using graph
00:07:44.670
coil and the answer is no that is not
00:07:47.730
necessary at all you can leave you log
00:07:51.570
in on LeGarrette actions outside the gap
00:07:53.760
and use default device controller the
00:07:57.780
same idea directly underlies the
00:08:00.810
authorization execution as the biggest
00:08:03.150
mistake will be to transfer an AWS
00:08:05.340
account user himself but some talking
00:08:08.540
cookie or just some identification to
00:08:12.630
the graph this will greatly complicate
00:08:15.150
application code and writing tests in
00:08:17.820
the future so yeah so far our solution
00:08:20.670
are no different from the usual restful
00:08:23.580
api ok let's move on to a more
00:08:26.550
interesting issue ensuring
00:08:28.380
identification usually in the system
00:08:30.570
have two types of actions actions
00:08:32.700
allowing everyone including guest and
00:08:35.100
actions only allowed for authorized
00:08:37.320
users yeah probably
00:08:39.060
everyone can read posts but they can
00:08:41.610
only be updated by users who realize
00:08:44.940
themselves in standard rails application
00:08:47.490
we can solve this problem using before
00:08:49.650
action callback in each case of
00:08:52.080
controller we set a specific list of
00:08:53.730
actions
00:08:54.660
forbidden for guests
00:08:56.820
this is not the most maintainable
00:08:59.040
solution actually from the point of view
00:09:00.930
of support but at the same time which is
00:09:04.410
powerful and easy to use but what about
00:09:07.380
graph quail is a graphical version we
00:09:09.630
have only one controller and if you
00:09:12.090
protect it with a before callback
00:09:14.610
it will prohibit all action for us which
00:09:17.490
is not adequate we need to find a
00:09:19.800
solution to prohibit the execution for
00:09:22.230
specific notes of the graph for
00:09:24.600
unauthorized users yeah each time for
00:09:28.320
Serie slice and code snippets and next
00:09:31.170
thing is the presentation I'm going to
00:09:32.820
show the God as stated with the graph
00:09:36.210
coil a ruby gem actually I have nothing
00:09:38.730
more to add here because there are no
00:09:41.640
other items in this library for this
00:09:44.580
library in the Ruby ecosystem let's take
00:09:47.580
a look at the code we saw earlier now we
00:09:51.510
can talk about what context is context a
00:09:54.810
specific variable which is passed along
00:09:57.810
the entire query execution stack and
00:10:00.710
this is our way to track through some
00:10:03.750
kind of state inside the graph using the
00:10:07.440
new knowledge we can look for the
00:10:10.350
example of fetching or getting the user
00:10:13.950
and his profile from the inside to do
00:10:16.950
this we create user type class where we
00:10:20.220
define profile field as a method to how
00:10:23.130
to resolve this papaya field also we
00:10:26.010
create a profile class and describe the
00:10:28.110
fields that we can request actually
00:10:30.810
everything is really really simple and
00:10:34.290
now knowing cat text is available
00:10:37.140
everywhere we simply add a check of
00:10:39.540
current user just like this it does not
00:10:42.450
look like her nothing and the problem is
00:10:46.440
that this is a purely maintainable
00:10:49.350
solution and we'll have to we will have
00:10:52.320
to duplicate the code many and many
00:10:54.510
times for each result let's use some
00:10:57.870
magic to solve it this magic is called
00:11:00.150
visibility
00:11:01.200
first time to say that visibility's
00:11:03.270
graphical ruby specific feature is their
00:11:05.580
official Gockel
00:11:07.200
specifications
00:11:08.579
all singers with ability and this may be
00:11:11.610
an omission secondly its implementation
00:11:15.029
is simple we need to add just one method
00:11:18.509
to the type like here but we still have
00:11:22.739
a problem of reusing this code so let's
00:11:26.790
move this method to a separate helper or
00:11:29.759
model and add it to the base type class
00:11:33.179
just using weapon method yeah it's
00:11:36.809
better but now a new problem such a
00:11:39.660
solution globally affects all types and
00:11:42.989
antistick ate the entire graph but we
00:11:45.959
need it in a place to fix we treat the
00:11:49.799
types initializer a bit and add saving
00:11:52.769
so login required like as I said we can
00:11:56.939
use powerful is option DSL which is a
00:12:00.449
feature of graphical or Ruby jam and
00:12:03.959
this DSL we can list the fields that
00:12:08.639
should not be accessible for guests for
00:12:12.149
example in this slide everyone can read
00:12:15.239
users posts but the user profiles only
00:12:18.449
for identification users I guess it's
00:12:21.809
really very elegant from my point of
00:12:24.540
view visibility is not the only way to
00:12:28.199
implement Asif occation prediction for
00:12:30.779
specific fields to understand why this
00:12:33.809
is a best solution we need to talk about
00:12:35.850
one feature called the introspection
00:12:38.850
system you can ask Greko schema for
00:12:41.579
information about what queries it
00:12:43.980
supports there are tools on BOTS
00:12:47.040
what can as it can build a whole graph
00:12:49.249
based on a given graph entry point this
00:12:53.669
information about queries mutation
00:12:56.129
styles and so on would give an attacker
00:12:58.049
may opportunities to find
00:12:59.669
vulnerabilities and years in processing
00:13:02.790
in a specific graphical implementation
00:13:04.679
so if you have a non public API
00:13:07.230
my advice to completely disable schema
00:13:09.929
introspection on production if you write
00:13:12.720
public API as third party service then
00:13:16.230
you can use visibility features that we
00:13:18.329
saw on the previous slides
00:13:20.440
automatically hides information about
00:13:23.310
protected branches of your graph this is
00:13:27.040
all about identification let's talk
00:13:29.290
about authorization yeah a physician is
00:13:33.220
a function of specifying access to the
00:13:36.940
resources a specification as well as the
00:13:40.090
questions can this user do this action
00:13:43.810
or is the user allowed to do this one of
00:13:47.950
the most common authorization
00:13:49.270
restriction is based on a roll it's the
00:13:51.880
application we have administrator or
00:13:54.130
managers and so on and we want to
00:13:56.200
restrict access to resources using
00:13:58.170
custom roles
00:13:59.620
the question is should we use the same
00:14:01.600
with the builds approach as we saw two
00:14:04.360
slides back the short answer is no it
00:14:08.440
will be a weak decision in term of
00:14:10.330
application development the
00:14:11.920
authorization rules are no limited only
00:14:14.170
to the roles of the user almost always
00:14:17.170
you have several layers of checks and we
00:14:20.290
cannot cover them with just boolean
00:14:22.720
flags only I need to say that there are
00:14:25.060
two single query Bertram that are a
00:14:27.730
design it for authorization but I do not
00:14:31.210
recommend using them the problem is that
00:14:33.490
this is a project of controller will
00:14:35.620
contain too much logic and will get
00:14:38.260
active record 2.0 an additional use of
00:14:42.100
access rules in other parts of
00:14:44.440
application will be impossible with this
00:14:47.320
implementation this problems are not new
00:14:49.810
for us and due to such difficulties with
00:14:52.690
the sky because of rules we have several
00:14:54.760
libraries such as scan can or can can
00:14:57.280
can or pans it to make our life easier
00:15:01.480
we would like to continue to use the
00:15:04.300
familiar tools especially if we are
00:15:06.339
migrating our restful application to
00:15:08.470
graph coil or we have a hybrid
00:15:10.360
architecture and we don't want to
00:15:13.420
rewrite the authorization layer let's
00:15:16.330
remember how everything looks for a
00:15:19.030
standard IPA for s jalapeño we are
00:15:21.430
talking about relation with one rule for
00:15:23.530
one action one after is a rule for one
00:15:26.620
action unfortunately people often get
00:15:29.140
confused about the action you should
00:15:32.410
think about
00:15:33.699
Rule four action of resource not about
00:15:36.249
rule for action for controller yeah very
00:15:38.799
often this are equivalent to each other
00:15:41.739
but this is only a consequence of the
00:15:44.619
restful style itself there is such basic
00:15:48.489
constraints at the heart of gradual
00:15:51.669
authorization - this is a just a little
00:15:54.639
more complicated because north of the
00:15:56.919
graph can be not only types aka
00:15:59.290
resources but also final scholar fields
00:16:02.669
suppose we have more opportunities for
00:16:05.249
flexible configuration of access to
00:16:08.109
specific fields of resources which is
00:16:11.230
difficult to do in the standard case
00:16:13.480
standard trails application and it's
00:16:16.419
sometimes solved by duplicating
00:16:17.709
endpoints for different roles as I shown
00:16:21.069
is a slide so returning to our original
00:16:24.850
question can we reuse existing abilities
00:16:27.459
layers in a sense yeah yes but at the
00:16:32.290
same time we will find the cases for
00:16:34.779
which we do not have enough solutions
00:16:36.970
for example how to pass current user to
00:16:39.489
suppose how to handle of the relation
00:16:41.559
here or how to ensure authorization
00:16:43.059
happens and so on
00:16:45.689
usually this is covered by helpers which
00:16:50.139
are a part of authorization libraries
00:16:52.059
the problem is that they are all focused
00:16:55.419
on work with wrathful application and
00:16:58.869
absolutely not suitable for graph quayle
00:17:01.439
in fact this missing part is too
00:17:05.019
important that is sold as a part of page
00:17:09.250
of code ruby version of coil Ruby Pro
00:17:11.279
has integration with can-can and pen
00:17:14.110
seed I don't know the exact price Oh the
00:17:17.350
graphical Ruby prom because I always use
00:17:19.630
free way to solve
00:17:20.799
also mentioned problems with
00:17:22.600
authorization yeah you vary the
00:17:25.689
conference room now I could ask who have
00:17:28.779
heard about Jim action policy and comes
00:17:31.809
an hour of raise of hands but I cannot
00:17:34.990
do it and I think is that your reaction
00:17:37.149
will be similar to this give for a
00:17:39.639
couple of people who do not know about
00:17:41.230
action policy action policies
00:17:43.029
authorization framework which is written
00:17:45.760
by my colleague halogen or diminutive if
00:17:48.460
pundit library's small and the rhythm
00:17:51.190
alter in two or three hundred lines of
00:17:54.430
course authorization action policy
00:17:56.440
contains much more building features and
00:17:59.610
this is a framework um not just a
00:18:02.050
library and then short action policies
00:18:04.690
spanned it on stroyed and you can easily
00:18:07.270
migrate from pansy to action policy and
00:18:09.760
action policies independent of race and
00:18:11.560
has several extensions including support
00:18:14.440
of graph coil Ruby as I said the other
00:18:17.290
policy API is boiled from the budget and
00:18:21.430
you will not immediately finds a
00:18:24.010
difference between them to use this
00:18:26.320
policy just add a flag to to the
00:18:29.140
specific field and everything will work
00:18:31.180
magically we can say the same thing
00:18:33.910
about exception handling yeah you can
00:18:37.240
use similar code expand it but it does
00:18:40.270
not know how to send a specific
00:18:42.790
authorization your message
00:18:44.640
out-of-the-box find it does not know how
00:18:47.440
to do this but this is important to
00:18:49.690
graph coil because it is a part of
00:18:52.000
official specification in general the
00:18:54.940
library contains many helpers which
00:18:58.030
greatly facilitate the implementation of
00:19:00.520
the ization for the graph kohlrabi
00:19:03.610
but I won't bore you by listening them
00:19:07.420
all in fact let's look at more
00:19:10.000
interesting and specific issues for
00:19:12.670
example data scoping in our schema the
00:19:16.300
user has posts hello
00:19:18.460
what kind of post we need to return by
00:19:21.100
request depends on the current user for
00:19:24.970
example is the current user is the same
00:19:27.760
user a K Abner he can see all his
00:19:30.700
undeleted posts if he is administrator
00:19:33.760
he can see all of the users posts
00:19:36.430
including those that are deleted if he
00:19:40.240
is guest only published posts can be
00:19:42.610
seen just a couple of custom logic
00:19:47.340
scopes and as you can see such a
00:19:50.860
scenario is easily implemented on the
00:19:54.220
policy side just three lines of code
00:19:59.070
I think is just do not forget to write
00:20:01.230
policy tests the next feature is even
00:20:05.009
more specific to graph coil because many
00:20:07.380
people present this technology made as
00:20:10.320
an improvement in terms of front and
00:20:12.990
side let's imagine that we have a rule
00:20:16.529
that allows Orpah he means a user from i
00:20:19.799
performing the action and the front and
00:20:23.009
side we have the button that is
00:20:25.980
responsible for initiating this action
00:20:28.700
so we need to show or highlight button
00:20:31.769
the Predacon through question where is
00:20:36.000
the best place for you Excel main
00:20:38.190
display logic yes unfortunately many
00:20:42.509
developers choose the wrong the wrong
00:20:44.730
way solution the wrong solution and
00:20:47.659
implementing the logic in two places at
00:20:50.759
once on the backend checking the
00:20:53.460
authorization rule on the front end the
00:20:56.909
logic of the bottom display by indirect
00:21:00.570
signs about the rule is the same and the
00:21:03.659
right decision is to transfer or expose
00:21:06.539
this information from a single source of
00:21:09.179
truth from the back end this action
00:21:12.750
policy calc well we can do this with
00:21:16.139
just a single line of code in this case
00:21:19.049
the response will look standardized it
00:21:22.259
and contain the text of the error in
00:21:24.809
case we need to show why the user is not
00:21:28.110
prohibited from performing the action
00:21:30.330
yeah it's time for at last features one
00:21:33.840
of the biggest problem that I saw in the
00:21:37.620
projects it's a performance issue it's
00:21:40.740
very difficult to design and make graph
00:21:43.139
quality without n plus one and batch
00:21:46.080
loading problems there are also problems
00:21:48.570
that some part of the graph
00:21:51.539
I requested much more often than others
00:21:54.960
and in this case one of the way to
00:21:57.809
improve performance is to add our cache
00:22:00.809
layer the cache is quiet not only for
00:22:04.139
data but also for calculating the rules
00:22:06.600
because sometimes rules calculation can
00:22:09.840
be really complicated
00:22:11.460
and there's this rule of the boys and in
00:22:14.279
the case of library I just think a shank
00:22:16.919
is really simple with extra policy
00:22:19.230
alcohol you just add one single line of
00:22:22.289
code
00:22:22.980
I think if listeners may ask themselves
00:22:25.710
now we are talking only about reading
00:22:28.289
data what about data changes or more
00:22:31.140
simply mutations we didn't talk about
00:22:33.690
mutations because it cannot be nested in
00:22:36.779
graph coil technically by specification
00:22:40.049
you can make something like nested
00:22:41.730
mutation but it's better not to even
00:22:44.640
think about it
00:22:45.480
in the case of single legged nesting
00:22:47.940
mutation are no different from ordinary
00:22:50.809
service objects one way to cover them
00:22:54.419
with after ization is true is to call
00:22:56.669
the specific helper is a resolver method
00:22:59.820
I care there's only one problem how do
00:23:03.600
we ensure policies are used it is
00:23:07.140
crucial to make sure that every change
00:23:10.169
action is protected by policy this code
00:23:13.260
is not part of graph coil your action
00:23:16.169
policy to our custom code and so I will
00:23:19.409
show only the main part of it and you
00:23:21.899
can find the full code snippet by the
00:23:25.350
link below this using this code will be
00:23:30.770
protected from forgetful developer
00:23:34.320
because this after resolver callback
00:23:38.480
automatically will check do we call
00:23:41.789
authorization policy or not last but not
00:23:46.140
least let's discuss writing test for
00:23:48.360
authorization logic unfortunately for
00:23:51.149
all the malware itself types and
00:23:53.250
mutation declaration with all the
00:23:55.770
flexibilities of this so at the moment
00:23:58.020
we can only write integration tests in
00:24:00.929
other word execute a row graph query and
00:24:03.659
check the results discuss about ich that
00:24:07.380
we always check full execution of query
00:24:09.419
but of course it's not free let's look
00:24:12.240
at this simple test for checking
00:24:14.309
permission of a type field I her does
00:24:17.159
everything look clean
00:24:18.510
we have several contexts where we check
00:24:21.120
answers for each type of users but there
00:24:24.570
are actually bad
00:24:25.560
tests like all integration tests they
00:24:28.080
are slow we always need to do some setup
00:24:30.600
with the database for each tests there
00:24:33.060
are also complex we will have to compare
00:24:35.790
as God many times for different fields
00:24:38.640
or put this coating and share it
00:24:41.370
examples which does not make the code
00:24:43.680
simpler and most important we don't need
00:24:47.100
to check SS here at O for this we have a
00:24:50.880
different layer of logic policies there
00:24:53.460
force out of authorization logic the
00:24:55.890
tests must be in a separate policy layer
00:24:58.680
four types we need to only check that
00:25:01.440
the corresponding policies been cold and
00:25:04.290
action policy gargoyle has helper for
00:25:06.780
this I just was nothing but al capone's
00:25:10.020
from the last two slides are you ballad
00:25:12.180
for controller test - if you had check
00:25:15.060
for each type of user in the control or
00:25:17.190
test and I have a bad news for you
00:25:19.770
conclusion
00:25:20.670
yeah let's time to make a short
00:25:22.800
conclusion I think you notice that in
00:25:26.430
general we can imagine the whole
00:25:28.290
situation with such a chart despite the
00:25:31.650
fact that gap Co ruby has its own and
00:25:34.200
mechanism for authorization the best
00:25:36.990
solution is still to use third-party
00:25:38.600
libraries that we are already familiar
00:25:41.760
with this solution will make it easier
00:25:44.190
to migrate from one teacher to another
00:25:46.560
and or use the authorization code
00:25:49.100
however we still have some wrappers and
00:25:51.420
helpers that is fight right to a
00:25:55.230
particular lecture we are all pretty
00:25:57.270
well this features for a restful
00:25:59.250
application and also we have stable
00:26:02.750
identification and authorization
00:26:04.770
libraries and unfortunately we cannot
00:26:06.810
say that about the graph quality system
00:26:09.450
there are many questions that are
00:26:11.640
currently without answers for example
00:26:14.700
how do we make an analog for of the
00:26:17.100
permitted attributes for graphical Ruby
00:26:19.590
and authorize mutation arguments or how
00:26:23.640
do we implement authorization for schema
00:26:25.920
Federation which is more complex or on
00:26:31.530
another hand there are good
00:26:33.060
opportunities for open source
00:26:34.590
contributions and that's it thank you so
00:26:37.890
much for
00:26:38.750
being here today I hope this information
00:26:41.200
was of use to you feel free to reach out
00:26:44.960
to me with any question or commentary
00:26:47.810
also subscribe and read your Martian
00:26:50.900
blogs and thank you and bye