search

neo4j-graphql / neo4j-graphql-js

NOTE: This project is no longer actively maintained. Please consider using the official Neo4j GraphQL Library (linked in README).
Other
609 stars 147 forks source link

Conflicting Auth Directives & Middleware Context Config Patterns #242

Open Phylodome opened 5 years ago

Phylodome commented 5 years ago

I am confused as to how an example such as this, found in your documentation, is compatible with graphql-auth-directives:

const server = new ApolloServer({
  schema: augmentedSchema,
  context: ({ req }) => {
    return {  /* Note: We return a context object containing both `driver` and `req` fields */
      driver,
      req
    };
  }
});

Given that graphql-auth-directives usage effectively co-opts the entire context object via returning only one sub-field of the context object it processes:

const server = new ApolloServer({
  schema,
  context: ({ req }) => { /* Here we pluck the variable `req` from context, via a destructured fn param */
    return req; /* Here we substitute req for the entire context object from which it came */
  }
});

And if we inspect graphql-auth-directives, we find that the verifyAndDecodeToken function takes for granted that the context object is the req:

var verifyAndDecodeToken = function verifyAndDecodeToken(_ref) {
  var context = _ref.context; /* <-- Note: I *will not* find the headers on "_ref.context.req" */
  if (
    !context ||
    !context.headers ||
    (!context.headers.authorization && !context.headers.Authorization)
  ) {
    throw new _errors.AuthorizationError({
      message: "No authorization token."
    });
  }

Thus we end up in a situation where whenever an authDirective is used, we get the error message "No authorization token.", regardless of whether there's a valid auth header in the req.headers.authorization field of the object returned by the handler we've assigned to the ApolloServer constructor's config.context.

Yet the usage pattern is officially documented.

Am I overlooking something simple here? Perhaps I've been staring at the screen for too long, but on my end changing the code in verifyAndDecodeToken such that it expects a context object possessing a req field fixes the issue and makes my directives behave as expected, given the usage pattern documented in the neo4j-graphql-js docs.

johnymontana commented 5 years ago

See this comment for how to use graphql-auth-directives with neo4j-graphql.js

michaeldgraham commented 3 years ago

https://github.com/neo4j-graphql/neo4j-graphql-js/issues/608