Add authorization via JWT token?

[tobiasdiez]

Is this the best way to connect it to a JabRef instance?

Helpful for implementation:

• https://github.com/jkettmann/graphql-passport/issues/26
• https://www.howtographql.com/graphql-js/6-authentication/
• https://dev.to/hasusozam/passport-jwt-with-graphql-3gdj

[mohit038-zz]

As Passport-initializer already using express-session as middleware and storing session Inside a cookie. So I think storing that session inside Redis and tapping it to check whether the user is logged in or not whenever the user calls an endpoint by reading the cookie. This provides a little bit more security as we are storing data on the server-side.

Link for a better explanation https://medium.com/mtholla/managing-node-js-express-sessions-with-redis-94cd099d6f2f https://sherryhsu.medium.com/session-vs-token-based-authentication-11a6c5ac45e4

Also, there are some security concerns with JWT. I would like to work on this issue. Please let me know which way do you prefer.

[tobiasdiez]

Thanks for your interest and for pointing out that the current memory session store is not suitable for production. I've opened a new issue https://github.com/JabRef/JabRefOnline/issues/104 to keep track of this part of the authorization problem. That's definitely something where help is very much appreciated.

I agree sessions are preferable. But I so far I couldn't find (without searching a lot) a good documentation for how to use sessions with Java GraphQL clients. Most of them are token-based (e.g. https://www.apollographql.com/docs/android/tutorial/10-authenticate-your-queries/). If there is a solution using sessions, then that would be great.

For reference: https://docs.github.com/en/developers/apps/authorizing-oauth-apps describes authorization for apps for github

[tobiasdiez]

I'll close this for now since the session-based auth is definitely preferred. If this is not possible with the java-apollo client, then I'll reopen this issue.