I have a GraphQL API, but I have doubts about whether to login in a
graphql mutation or do it in a REST endpoint, I know that it can be done in both ways.
Any comments?
I have read and even in some courses I heard that for the login the ideal is to have a REST endpoint instead of a mutation. Is there any best practice for this?
Juan Carlos Estrella is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1 Answer
The GraphQL idea is that the server exposes its schema, and clients retrieve the schema to determine which API to use. Following this idea, your schema has to be accessible to anonymous users if you implement the login API through GraphQL. It can potentially make your system vulnerable, but "fixing" it could be tricky.
That’s why having a REST endpoint for login is a good practice. With this approach, you can restrict access to GraphQL schema for anonymous users.
