@k6-contrib/session usage

keystonejs-contrib / k6-contrib

Keyston-6 contrib

MIT License

35 stars 18 forks source link

@k6-contrib/session usage #32

Closed yangricardo closed 1 year ago

yangricardo commented 2 years ago

Hi, i'am insterested on use this @k6-contrib/session package. There is any example on how to use that? I thought that it was a simple list extension... Regards

gautamsi commented 2 years ago

this is exactly like the @keystone-6/core/session with support for api key authentication, very simple one not very complex, may not be used in all places

you can create random value in a field in User list for api-key
send this key in header to authenticate as that user.

You must protect this key with proper permission so that it does not do any harm

yangricardo commented 2 years ago

Thanks for the answer :) But i configure it on a list schema? the common configuration it fits on a server configuration attribute, if i am not wrong.

yangricardo commented 2 years ago

Thanks for the answer :) But i configure it on a list schema? the common configuration it fits on a server configuration attribute, if i am not wrong.

I ask because i had some troubles on use as a list schema field property

gautamsi commented 2 years ago

this is not for list schema, you will be using it instead of @keystone-6/core/session.

yangricardo commented 2 years ago

this is not for list schema, you will be using it instead of @keystone-6/core/session.

hmmm got it... So i use some values on list properties like secret or supersecret defined as encrypted? like seen here?? Or it's returned in a authenticateUserWithPassword graphql mutation response?

gautamsi commented 2 years ago

yes, you want to be it like secret so that it can retrieve it unencrypted.

you may return with authenticateUserWithPassword mutation, that depends how you setup permission aka access control

yangricardo commented 2 years ago

Hi, have tried here, but still do not understand how it works... I have used the statelessApiKeySessions and created a encrypted attribute on my User schema called apiKey.

gautamsi commented 2 years ago

import { statelessApiKeySessions } from '@k6-contrib/session';

// .....
// .....
const session = statelessApiKeySessions({
  maxAge: sessionMaxAge,
  secret: sessionSecret,
});

// .....
// .....

export default withAuth(
  config({
    // ....
    session,
    // ....
  });

is this encrypted field have reverse flag? It must be reversible so that api can be managed, I could write a hashing function for same. You also want to be careful to add access control in this field to hide from admin ui for non admins.

yangricardo commented 2 years ago

Yes, it had... the last auth example is pretty close to what i set. But is not clear for me how this is bound to User schema list. There is any custom option to set which attribute handles the api key creation? Is this self created by the server?

gautamsi commented 1 year ago

I missed to answer this

you have to create the API key yourself, use resolveInput mutation to make this work.

options related to this improvement in session

  listKey?: string;
  apiKeyField?: string;
  apiKeyHeader?: string;