GraphQL authentication via viewer pattern about serverless-graphql HOT 7 CLOSED

haha yep understood. I think what you're suggesting is a more accurate "viewer" pattern...but I wasn't sure if it's a good idea to always have this jwt requirement (even if it can be null) at the top level of each GraphQL query.

Just wanna make sure you're having good experience with this. If you feel better about what you're suggesting and you think it's giving better UX. Feel free to adjust ... we're sort of secretly making a usability test on you ;)

from serverless-graphql.

@kevinold can you have a look at it? I can assist you with the JWT and DynamoDB implementation!

from serverless-graphql.

@pmuens I'm not sure I can for the next few weeks. Dealing with a family issue that limits my free time. Will try to check in when I can.

from serverless-graphql.

Alright. No problem! I'm just struggling to define the schema...

Here's an example I created (/cc @eahefnawy). Not sure if it's good (the Schema also returns the viewer which is not that great I think...) and how we should do this with mutations:

export const ViewerType = new GraphQLObjectType({
  name: 'Viewer',
  description: 'Viewer',
  fields: () => ({
    users: {
      type: new GraphQLList(FormType),
      description: 'Get all users',
      resolve: (source, args) => {
        return getUsers(source);
      }
    }
  })
});

const Root = new GraphQLObjectType({
  name: 'Root',
  fields: {
    viewer: {
      type: ViewerType,
      args: { jwt: { type: new GraphQLNonNull(GraphQLString) } },
      resolve(source, { jwt }) {
        return { jwt: jwt };
      }
    }
  }
});

const Schema = new GraphQLSchema({
  query: Root,
  mutation: Mutations
});

export default Schema;

from serverless-graphql.

I'd like to close this guy since it's now implemented, unless you guys have any other feedback?

@pmuens how was your experience integrating the client with this graphQL auth implementation?

from serverless-graphql.

@eahefnawy I think it's a good implementation for now. 👍

I thought that one could use a higher level query to scope this (which can be reused).

Let's pretend we want to enable it that a signed in user can delete an arbitrary user. So instead of:

mutation deleteUser {
  deleteUser (id: "validUserId", jwt: "valid.jwt.token")
  { id username name email jwt }
}

something like this (it's not valid GraphQL):

user (jwt: "valid.jwt.token") {
 deleteUser (id: "valid.user.id")
  { id username name email jwt } 
}

Hope it's understandable :-D

from serverless-graphql.

Alright. It works great. So I don't think that we need to adjust it right now. But maybe we can keep the user / viewer pattern in mind for updates later on.

from serverless-graphql.