Add authentication to your GraphQL API with schema directives.
-
@isAuthenticated
-
@hasRole
-
@hasScope
npm install --save graphql-auth-directives
Then import the schema directives you'd like to use and attach them during your GraphQL schema construction. For example using neo4j-graphql.js' makeAugmentedSchema
:
import { IsAuthenticatedDirective, HasRoleDirective } from "graphql-auth-directives";
const augmentedSchema = makeAugmentedSchema({
typeDefs,
schemaDirectives: {
isAuthenticated: IsAuthenticatedDirective,
hasRole: HasRoleDirective,
hasScope: HasScopeDirective
}
});
The @hasRole
, @hasScope
, and @isAuthenticated
directives will now be available for use in your GraphQL schema:
type Query {
userById(userId: ID!): User @hasScope(scopes: ["User:Read"])
itemById(itemId: ID!): Item @hasScope(scopes: ["Item:Read"])
}
Be sure to inject the request headers into the GraphQL resolver context. For example, with Apollo Server:
const server = new ApolloServer({
schema,
context: ({ req }) => {
return req;
}
});
A JWT must then be included in each GraphQL request in the Authorization header. For example, with Apollo Client:
import { createHttpLink } from 'apollo-link-http';
import { setContext } from 'apollo-link-context';
import { InMemoryCache } from 'apollo-cache-inmemory';
import { ApolloClient } from 'apollo-client';
const httpLink = createHttpLink({
uri: <YOUR_GRAPHQL_API_URI>
});
const authLink = setContext((_, { headers }) => {
const token = localStorage.getItem('id_token'); // here we are storing the JWT in localStorage
return {
headers: {
...headers,
authorization: token ? `Bearer ${token}` : "",
}
}
});
const client = new ApolloClient({
link: authLink.concat(httpLink),
cache: new InMemoryCache()
});
Configure Configuration is done via environment variables.
(required)
You must set the JWT_SECRET
environment variable:
export JWT_SECRET=><YOUR_JWT_SECRET_KEY_HERE>
(optional)
By default @hasRole
will validate the roles
, role
, Roles
, or Role
claim (whichever is found first). You can override this by setting AUTH_DIRECTIVES_ROLE_KEY
environment variable. For example, if your role claim is stored in the JWT like this
"https://grandstack.io/roles": [
"admin"
]
set export AUTH_DIRECTIVES_ROLE_KEY=https://grandstack.io/roles
Scopes: user:CRUD
key: qwertyuiopasdfghjklzxcvbnm123456
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJHUkFORHN0YWNrIiwiaWF0IjoxNTQ5MTQ1Mjk0LCJleHAiOjE1ODA2ODEzMDcsImF1ZCI6ImdyYW5kc3RhY2suaW8iLCJzdWIiOiJib2JAbG9ibGF3LmNvbSIsIlJvbGUiOiJBRE1JTiIsIlNjb3BlIjpbIlVzZXI6UmVhZCIsIlVzZXI6Q3JlYXRlIiwiVXNlcjpVcGRhdGUiLCJVc2VyOkRlbGV0ZSJdfQ.nKADki8iKTpKqq3CVdrGAUrSzSBmFolWzYOsA_ULSdo