search

nestjs / nest

A progressive Node.js framework for building efficient, scalable, and enterprise-grade server-side applications with TypeScript/JavaScript 🚀
https://nestjs.com
MIT License
66.91k stars 7.55k forks source link

Secure REST and GraphQL using passport #1326

Closed mfechner closed 5 years ago

mfechner commented 5 years ago

I'm submitting a...


[ ] Regression 
[ ] Bug report
[ ] Feature request
[x] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

I followed the documentation here to setup graphql with passport authentication: https://docs.nestjs.com/techniques/authentication

I put everything together in small sample project that can be found here: https://github.com/mfechner/nest-graphql-apollo-auth-passport

But I do not understand how to get the modifications into the project that passport works with GraphQL endpoint. Could the manual here maybe be improved a little bit, that it is more clear here (which file has to be modified and what has to be imported, ...)

Expected behavior

Accessing the graphql endpoint should give a FORBIDDEN if no valid jwt is provided like it is for the REST endpoint http://localhost:3000/api/cats/getCats.

Minimal reproduction of the problem with instructions

https://github.com/mfechner/nest-graphql-apollo-auth-passport

What is the motivation / use case for changing the behavior?

I currently do an evaluation if nest is the framework we should go with.

Environment


Nest version: 5.4.0

For Tooling issues:
- Node version: 11.2.0
- Platform:  Mac, Windows
zuohuadong commented 5 years ago

see: https://github.com/notadd/nt-module-user/tree/graphql-api && https://github.com/dzzzzzy/Nestjs-Learning/tree/master/demo/easy-post

mfechner commented 5 years ago

@zuohuadong thanks a lot for your links. I had a look into it and the first example does not use passport. I exactly have the problem with passport and graphql together. And I would like to stick to passport, as it does not make sense to write this all again what is already existing and well tested.

The second example has no graphql endpoint. In my example the AuthGuard for the REST endpoint works fine but does not for the graphql. So exactly the part I do not understand in the NESTJS manual is not included here.

marcus-sa commented 5 years ago

https://github.com/ForetagInc/fullstack-boilerplate/tree/master/apps/api/src/app/auth You need to use a separate guard for your GraphQL endpoints which uses the GqlExecutionContext

mfechner commented 5 years ago

@marcus-sa thanks a lot for this link. I fixed it now with this commit: https://github.com/mfechner/nest-graphql-apollo-auth-passport/commit/61bf51a392879f27d7438afa9508cd2280e3de8f

The main problem I had here is, that it was not clear for me that I must use an extra guard and cannot use the same guard I use for the REST endpoints.

mfechner commented 5 years ago

I followed now the same logic to also protect a subscription so I changed:

  @Subscription('catCreated')
  catCreated() {
    return {
      subscribe: () => pubSub.asyncIterator('catCreated'),
    };
  }

to

  @Subscription('catCreated')
  @UseGuards(GqlAuthGuard)
  catCreated() {
    return {
      subscribe: () => pubSub.asyncIterator('catCreated'),
    };
  }

but it does not work, I can subscribe to it without any authorization.

How can I protect the subscription correctly?

marcus-sa commented 5 years ago

You can't do this in a Nesty way yet, unfortunately. You can only use a root guard for protecting your subscriptions.

Reference https://github.com/nestjs/graphql/issues/84

mfechner commented 5 years ago

@marcus-sa thanks for clarification, as this is already existing, I close this issue, thanks.

lock[bot] commented 5 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.