search

outmoded / discuss

The "mailing list"
99 stars 9 forks source link

GraphQL/Apollo + JWT tokens from Auth0 #481

Closed juliancwirko closed 5 years ago

juliancwirko commented 7 years ago

Hi, I've implemented Apollo server and also Auth0 passwordless authorization. According to this: https://auth0.com/docs/quickstart/backend/hapi/01-authorization

Now, I know that it could be more GraphQL related stuff, but maybe someone had this problem. The question is how to protect only some GraphQL queries/resolvers and not whole /graphql endpoint which I do like that:

(...)
import { graphqlHapi, graphiqlHapi } from 'graphql-server-hapi';
(...)
server.register(jwt, err => {
  if (err) throw err;
  server.auth.strategy('jwt', 'jwt', 'required', {
    complete: true,
    key: jwksRsa.hapiJwt2Key({
      cache: true,
      rateLimit: true,
      jwksRequestsPerMinute: 5,
      jwksUri: `[jwks.json with keys here]`
    }),
    verifyOptions: {
      audience: '[auth0 api id here]',
      issuer: `[auth0 personal domain here]`,
      algorithms: ['RS256']
    },
    validateFunc: validateUser
  });

  server.register({
    register: graphqlHapi,
    options: {
      path: '/graphql',
      route: {
        auth: 'jwt'
      },
      graphqlOptions: (request) => {
        return { schema: executableSchema };
      },
    },
  });

  server.register({
    register: graphiqlHapi,
    options: {
      path: '/graphiql',
      route: {
        auth: false
      },
      graphiqlOptions: {
        endpointURL: '/graphql',
      },
    },
  });
});

I guess I should take different path, but I am not sure how to proper validate JWT in Hapi and not using this whole auth strategy. Then I would probably pass this through request to the graphql context and use the data in graphql resolvers.

I've searched the Internet but it is hard to find something useful.

Thanks in advance!

igorkosta commented 7 years ago

Hi @juliancwirko,

did you find a way to pass the result of the authentication request as graphl context? I'd appreciate any help. I'm trying to do the same - call an external API with user credentials and pass the result of it to graphql as a context.

Cheers Igor

juliancwirko commented 7 years ago

Hi, for now I don't use jwt auth strategy for '/graphql' route at all. I just pass needed credentials from token (token is from request variable) and logic to the context in graphqlOptions, then I check it in resolvers. I also use separated jwt verification logic using jsonwebtoken library. So I just get the token and verify it manually using jsonwebtoken. Basically this is the same what I have described at the end of my issue.

igorkosta commented 7 years ago

@juliancwirko - thank you!