Request: Implement paseto auth

nuwave / lighthouse

A framework for serving GraphQL from Laravel

https://lighthouse-php.com

MIT License

3.33k stars 433 forks source link

Request: Implement paseto auth #1430

Closed wolfiton closed 4 years ago

wolfiton commented 4 years ago

I would like to propose the implementation of paseto by default as an authentification method for Lighthouse graphql api's out of the box.

Or as an additional package like laravel php artisan make:auth

Reasons why paseto and not JWT can be found in this video by Randall Degges chief hacker at Okta https://www.youtube.com/watch?v=Ai7PVLl4Wng

Thank you in advance for looking over this request.

stayallive commented 4 years ago

Hi @wolfiton this is a bit out of the scope for this library I believe.

However since we use the Laravel authentication guards someone would have to implement a Paseto guard: https://laravel.com/docs/7.x/authentication#adding-custom-guards.

This will not be part of the Lighthouse and also would not be specific for Lighthouse.

I see you posted this request on many places :)

The Lumen API starter you linked shows how to implement a Paseto guard you can then use with Ligthouse: https://lighthouse-php.com/4.12/security/authentication.html#global.

wolfiton commented 4 years ago

Unfortunately, you don't understand how paseto works. It is not another JWT paseto will create short lived tokens for users and changed them using the events that happen in the api or user actions.

Please watch the video to understand what paseto is and why jwt is dangerous!!! and repopen this request because it is a major security problem.

Thank you

stayallive commented 4 years ago

Hi Wolfiton, Lighthouse does not implement JWT (or Paseto or cookies or any other authentication) we rely on the Laravel Authentication Guards so I'm not a 100% sure where Lighthouse (the project you opened an issue on) advertises JWT or implements JWT?

wolfiton commented 4 years ago

Sorry but I don't understand how you can use Graphql directly with Laravel without a frontend spa or ssr without using jwt or passeto?

What auth method is there?

Thanks in advance for the explanations or clarifications on this.

stayallive commented 4 years ago

There are many authentication methods you can use, you can even use session based authentication (like a web request would using cookies) or use Laravel Passport for full oAuth 2 support or Laravel Sanctum for token based auth.

It's all changeable by configurating guards in config/auth.php as explained here: https://laravel.com/docs/7.x/authentication.

You can then set the guard to use in the Lighthouse configuration and your API is protected: https://github.com/nuwave/lighthouse/blob/master/src/lighthouse.php#L46-L58, read more about authentication in Lighthouse here: https://lighthouse-php.com/4.12/security/authentication.html.

But to be clear, Lighthouse uses the Laravel authentication, so any "guard" can be used, and that can implement any security specification from JWT to cookies to Paseto to oAuth. Ligthouse only is aware if the guard and if the user is authenticated not how that authentication took place.

wolfiton commented 4 years ago

Thanks that makes it clear now @stayallive