firesphere / graphql-jwt
JWT Authentication for GraphQL
Installs: 6 339
Dependents: 0
Suggesters: 0
Security: 0
Stars: 18
Watchers: 7
Forks: 23
Open Issues: 13
Type:silverstripe-vendormodule
Requires
- php: >=7.1
- ext-json: *
- lcobucci/jwt: ^3.2
- silverstripe/framework: ^4.3
- silverstripe/graphql: ^3.0
Requires (Dev)
This package is auto-updated.
Last update: 2024-09-29 02:41:13 UTC
README
License
GraphQL JSON Web Token authenticator
This module provides a JWT-interface for creating JSON Web Tokens for authentication.
Installation
composer require firesphere/graphql-jwt
The default config is available in _config\config.yml
.
In order to securely process and store data via JWT,
you need to set a secret key in your .env
file:
JWT_SIGNER_KEY="[your secret key]"
A quick way to generate a secure random value value for JWT_SIGNER_KEY
is through a PHP CLI command:
php -r 'echo substr(base64_encode(random_bytes(64)), 0, 64) . "\n";'
You can also use public/private key files.
JWT_SIGNER_KEY="./path/to/private.key" JWT_PUBLIC_KEY="./path/to/public.key"
Note: Relative paths will be relative to your BASE_PATH (prefixed with ./
)
Currently, only RSA keys are supported. ECDSA is not supported. The keys in the test-folder are generated by an online RSA key generator.
The signer key for HMAC can be of any length (keys longer than B bytes are first hashed using H). However, less than L bytes is strongly discouraged as it would decrease the security strength of the function.. Thus, for SHA-256 the signer key should be between 16 and 64 bytes in length.
The keys in tests/keys
should not be trusted!
Configuration
Since admin/graphql is reserved exclusively for CMS graphql access, it will be necessary for you to register a custom schema for your front-end application, and apply the provided queries and mutations to that.
For example, given you've decided to create a schema named frontend
at the url /api
--- Name: my-graphql-schema --- SilverStripe\GraphQL\Manager: schemas: frontend: types: MemberToken: 'Firesphere\GraphQLJWT\Types\MemberTokenTypeCreator' Member: 'Firesphere\GraphQLJWT\Types\MemberTypeCreator' mutations: createToken: 'Firesphere\GraphQLJWT\Mutations\CreateTokenMutationCreator' refreshToken: 'Firesphere\GraphQLJWT\Mutations\RefreshTokenMutationCreator' queries: validateToken: 'Firesphere\GraphQLJWT\Queries\ValidateTokenQueryCreator' --- Name: my-graphql-injections --- SilverStripe\Core\Injector\Injector: SilverStripe\GraphQL\Manager.frontend: class: SilverStripe\GraphQL\Manager constructor: identifier: frontend SilverStripe\GraphQL\Controller.frontend: class: SilverStripe\GraphQL\Controller constructor: manager: '%$SilverStripe\GraphQL\Manager.frontend' --- Name: my-graphql-routes --- SilverStripe\Control\Director: rules: api: Controller: '%$SilverStripe\GraphQL\Controller.frontend' Stage: Live
Log in
To generate a JWT token, send a login request to the createToken
mutator:
mutation { createToken(Email: "admin", Password: "password") { Token, // ...request or you won't have a token ID, FirstName, Surname } }
Validate token
If you have an app and want to validate your token, you can address the validateToken
method:
query validateToken { validateToken { Valid Message Code } }
It only needs to call the endpoint. The token should be in the header, via your middleware for the request, as a Authorization: Bearer [token]
. If the token is valid, you'll get a response like this:
{ "data": { "validateToken": { "Valid": true, "Message": "", "Code": 200, "__typename": "ValidateToken" } } }
If the token is invalid, Valid
will be false
.
Anonymous tokens
Although not advised, it's possible to use anonymous tokens. When using an anonymous authenticator, SilverStripe
will generate a default database record in the Members table with the Email anonymous
and no permissions by default.
To enable anonymous tokens, add the following to your configuration .yml
:
SilverStripe\Core\Injector\Injector: Firesphere\GraphQLJWT\Mutations\CreateTokenMutationCreator: properties: CustomAuthenticators: - Firesphere\GraphQLJWT\Authentication\AnonymousUserAuthenticator
You can then create an anonymous login with the below query.
mutation { createToken(Email: "anonymous") { Token } }
Note: If the default anonymous authenticator doesn't suit your purposes, you can inject any other
core SilverStripe authenticator into CustomAuthenticators
.
Warning: The default AnonymousUserAuthenticator
is not appropriate for general usage, so don't
register this under the core Security
class!
Enable CORS
To use JWT, CORS needs to be enabled. This can be done by adding the following to your configuration .yml
:
SilverStripe\GraphQL\Controller: cors: Enabled: true Allow-Origin: "*" Allow-Headers: "Authorization, Content-Type" Allow-Methods: "GET, POST, OPTIONS" Max-Age: 86400 # ...in seconds
Usage
After logging in, you will receive a token which can be used for further requests. This token should be in the header of the request with the Bearer
as signature:
Authorization: Bearer [token]
Prefix
A prefix can be optionally associated with the unique identifier of a JWT record. This can make it easier to distinguish JWT records created in different contexts, e.g. on a specific domain or environment type. It is not required for security purposes.
JWT_PREFIX="[your secret prefix]"
Security
Currently, the default method for encrypting the JWT is with SHA256. JWT is signed with multiple factors; including the host, audience (app/remote user), a secret key and a timeframe within which the token is valid. Only one device can be logged in at the time.
Supported services
By default, JWT only supports login. As it's tokens can not be disabled, nor used for password changes or resets.
Caveats
When using php under CGI/FastCGI mode with Apache, the Authorization
header might not work correctly, see issue#15. The workaround is simple, just add SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
in your .htaccess
file (refer).
Examples
A Postman collection can be found in the extra
folder.
Cow?
Of course!
/( ,,,,, )\
_\,;;;;;;;,/_
.-"; ;;;;;;;;; ;"-.
'.__/`_ / \ _`\__.'
| (')| |(') |
| .--' '--. |
|/ o o \|
| |
/ \ _..=.._ / \
/:. '._____.' \
;::' / \ .;
| _|_ _|_ ::|
.-| '==o==' '|-.
/ | . / \ | \
| | ::| | | .|
| ( ') (. )::|
|: | |; U U ;|:: | `|
|' | | \ U U / |' | |
##V| |_/`"""`\_| |V##
##V## ##V##