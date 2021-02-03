Add authentication to your GraphQL API with schema directives.

Schema directives for authorization

@isAuthenticated

@hasRole

@hasScope

Quick start

npm install --save graphql-auth-directives

Then import the schema directives you'd like to use and attach them during your GraphQL schema construction. For example using neo4j-graphql.js' makeAugmentedSchema :

import { IsAuthenticatedDirective, HasRoleDirective, HasScopeDirective } from "graphql-auth-directives" ; const augmentedSchema = makeAugmentedSchema({ typeDefs, schemaDirectives : { isAuthenticated : IsAuthenticatedDirective, hasRole : HasRoleDirective, hasScope : HasScopeDirective } });

The @hasRole , @hasScope , and @isAuthenticated directives will now be available for use in your GraphQL schema:

type Query { userById ( userId : ID!): User @ hasScope ( scopes : [ "User:Read" ]) itemById ( itemId : ID!): Item @ hasScope ( scopes : [ "Item:Read" ]) }

Be sure to inject the request headers into the GraphQL resolver context. For example, with Apollo Server:

const server = new ApolloServer({ schema, context : ( { req } ) => { return req; } });

In the case that the token was decoded with no errors the context.user will store the payload from the token

me: ( parent, args, context ) => { console .log(context.user.id); }

A JWT must then be included in each GraphQL request in the Authorization header. For example, with Apollo Client:

import { createHttpLink } from 'apollo-link-http' ; import { setContext } from 'apollo-link-context' ; import { InMemoryCache } from 'apollo-cache-inmemory' ; import { ApolloClient } from 'apollo-client' ; const httpLink = createHttpLink({ uri : < YOUR_GRAPHQL_API_URI > }); const authLink = setContext((_, { headers }) => { const token = localStorage.getItem('id_token'); // here we are storing the JWT in localStorage return { headers: { ...headers, authorization: token ? `Bearer ${token}` : "", } } }); const client = new ApolloClient({ link: authLink.concat(httpLink), cache: new InMemoryCache() });

Configure

Configuration is done via environment variables.

(required) There are two variables to control how tokens are processed. If you would like the server to verify the tokens used in a request, you must provide the secret used to encode the token in the JWT_SECRET variable. Otherwise you will need to set JWT_NO_VERIFY to true.

export JWT_NO_VERIFY= true //Server does not have the secret, but will need to decode tokens

or

export JWT_SECRET=><YOUR_JWT_SECRET_KEY_HERE> //Server has the secret and will verify authenticity

(optional) By default @hasRole will validate the roles , role , Roles , or Role claim (whichever is found first). You can override this by setting AUTH_DIRECTIVES_ROLE_KEY environment variable. For example, if your role claim is stored in the JWT like this

"https://grandstack.io/roles" : [ "admin" ]

Set:

export AUTH_DIRECTIVES_ROLE_KEY=https://grandstack.io/roles

Running Tests Locally

create ./test/helpers/.env add relevant values run the test server

npx babel-node test /helpers/ test -setup.js

run the tests

npx ava test /*.js

Test JWTs

Scopes: user:CRUD

key : qwertyuiopasdfghjklzxcvbnm123456