Security News
The Risks of Misguided Research in Supply Chain Security
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
@envelop/generic-auth
Advanced tools
This plugin allows you to implement custom authentication flow by providing a custom user resolver based on the original HTTP request. The resolved user is injected into the GraphQL execution `context`, and you can use it in your resolvers to fetch the cu
@envelop/generic-auth
This plugin allows you to implement custom authentication flow by providing a custom user resolver
based on the original HTTP request. The resolved user is injected into the GraphQL execution
context
, and you can use it in your resolvers to fetch the current user.
The plugin also comes with an optional
@authenticated
directive that can be added to your GraphQL schema and helps you to protect your GraphQL schema in a declarative way.
There are several possible flows for using this plugin (see below for setup examples):
@skipAuth
directive or skipAuth
field extension.context
without validating access to schema field.@authenticated
directive or authenticated
extension field and automatically protect
those specific GraphQL fields.Start by installing the plugin:
yarn add @envelop/generic-auth
Then, define your authentication methods:
resolveUserFn
:Use this method to only extract the user from the context, with any custom code, for example:
import { ResolveUserFn } from '@envelop/generic-auth'
type UserType = {
id: string
}
const resolveUserFn: ResolveUserFn<UserType> = async context => {
// Here you can implement any custom sync/async code, and use the context built so far in Envelop and the HTTP request
// to find the current user.
// Common practice is to use a JWT token here, validate it, and use the payload as-is, or fetch the user from an external services.
// Make sure to either return `null` or the user object.
try {
const user = await context.authApi.authenticateUser(context.req.headers.authorization)
return user
} catch (e) {
console.error('Failed to validate token')
return null
}
}
validateUser
:This method is optional; the default method will just verify the value returned by resolveUser
and
throw an error in case of a false value (false | null | undefined
).
import { ValidateUserFn } from '@envelop/generic-auth'
const validateUser: ValidateUserFn<UserType> = params => {
// Here you can implement any custom to check if the user is valid and have access to the server.
// This method is being triggered in different flows, based on the mode you chose to implement.
// If you are using the `protect-auth-directive` mode, you'll also get 2 additional parameters: the resolver parameters as object and the DirectiveNode of the auth directive.
// In `protect-auth-directive` mode, this function will always get called and you can use these parameters to check if the field has the `@authenticated` or `@skipAuth` directive
if (!user) {
return new Error(`Unauthenticated!`)
}
}
Now, configure your plugin based on the mode you wish to use:
protect-all
This mode offers complete protection for the entire API. It protects your entire GraphQL schema by
validating the user before executing the request. You can optionally skip auth validation for
specific GraphQL fields by using the @skipAuth
directive.
To setup this mode, use the following config:
import { execute, parse, specifiedRules, subscribe, validate } from 'graphql'
import { envelop, useEngine } from '@envelop/core'
import { ResolveUserFn, useGenericAuth, ValidateUserFn } from '@envelop/generic-auth'
type UserType = {
id: string
}
const resolveUserFn: ResolveUserFn<UserType> = async context => {
/* ... */
}
const validateUser: ValidateUserFn<UserType> = params => {
/* ... */
}
const getEnveloped = envelop({
plugins: [
useEngine({ parse, validate, specifiedRules, execute, subscribe }),
// ... other plugins ...
useGenericAuth({
resolveUserFn,
validateUser,
mode: 'protect-all'
})
]
})
directive
By default, we assume that you have the GraphQL directive definition as part of your GraphQL schema (
directive @skipAuth on FIELD_DEFINITION
).
Then, in your GraphQL schema SDL, you can add @skipAuth
directive to your fields, and the default
validateUser
function will not get called while resolving that specific field:
type Query {
me: User!
protectedField: String
publicField: String @skipAuth
}
You can apply that directive to any GraphQL
field
definition, not only to root fields.
If you are using a different directive for authentication, you can pass
directiveOrExtensionFieldName
configuration to customize it.
import { GraphQLInt, GraphQLObjectType } from 'graphql'
const GraphQLQueryType = new GraphQLObjectType({
name: 'Query',
fields: {
foo: {
type: GraphQLInt,
resolve: () => 1,
extensions: {
directives: {
skipAuth: true
}
}
}
}
})
If you want to use a different directive for authentication, you can use the
directiveOrExtensionFieldName
configuration to customize it.
resolve-only
This mode uses the plugin to inject the authenticated user into the context
, and later you can
verify it in your resolvers.
import { execute, parse, specifiedRules, subscribe, validate } from 'graphql'
import { envelop, useEngine } from '@envelop/core'
import { ResolveUserFn, useGenericAuth, ValidateUserFn } from '@envelop/generic-auth'
type UserType = {
id: string
}
const resolveUserFn: ResolveUserFn<UserType> = async context => {
/* ... */
}
const validateUser: ValidateUserFn<UserType> = params => {
/* ... */
}
const getEnveloped = envelop({
plugins: [
useEngine({ parse, validate, specifiedRules, execute, subscribe }),
// ... other plugins ...
useGenericAuth({
resolveUserFn,
validateUser,
mode: 'resolve-only'
})
]
})
Then, in your resolvers, you can execute the check method based on your needs:
const resolvers = {
Query: {
me: async (root, args, context) => {
const validationError = context.validateUser()
if (validationError) {
throw validationError
}
const currentUser = context.currentUser
return currentUser
}
}
}
protect-granular
This mode is similar to option #2, but it uses the @authenticated
SDL directive or auth
field
extension for protecting specific GraphQL fields.
import { execute, parse, specifiedRules, subscribe, validate } from 'graphql'
import { envelop, useEngine } from '@envelop/core'
import { ResolveUserFn, useGenericAuth, ValidateUserFn } from '@envelop/generic-auth'
type UserType = {
id: string
}
const resolveUserFn: ResolveUserFn<UserType> = async context => {
/* ... */
}
const validateUser: ValidateUserFn<UserType> = params => {
/* ... */
}
const getEnveloped = envelop({
plugins: [
useEngine({ parse, validate, specifiedRules, execute, subscribe }),
// ... other plugins ...
useGenericAuth({
resolveUserFn,
validateUser,
mode: 'protect-granular'
})
]
})
directive
By default, we assume that you have the GraphQL directive definition as part of your GraphQL schema (
directive @authenticated on FIELD_DEFINITION
).
Then, in your GraphQL schema SDL, you can add @authenticated
directive to your fields, and the
validateUser
will get called only while resolving that specific field:
type Query {
me: User! @authenticated
protectedField: String @authenticated
# publicField: String
}
You can apply that directive to any GraphQL
field
definition, not only to root fields.
If you are using a different directive for authentication, you can pass
directiveOrExtensionFieldName
configuration to customize it.
import { GraphQLInt, GraphQLObjectType } from 'graphql'
const GraphQLQueryType = new GraphQLObjectType({
name: 'Query',
fields: {
foo: {
type: GraphQLInt,
resolve: () => 1,
extensions: {
directives: {
authenticated: true
}
}
}
}
})
If you are using a different field extension for authentication, you can pass
directiveOrExtensionFieldName
configuration to customize it.
You can also specify a custom validateUser
function and get access to a handy object while using
the protect-all
and protect-granular
mode:
import { GraphQLError } from 'graphql'
import { ValidateUserFn } from '@envelop/generic-auth'
const validateUser: ValidateUserFn<UserType> = ({ user }) => {
// Now you can use the 3rd parameter to implement custom logic for user validation, with access
// to the resolver data and information.
if (!user) {
return new GraphQLError(`Unauthenticated.`)
}
}
It is possible to add custom parameters to your @authenticated
directive. Here's an example for
adding role-aware authentication:
enum Role {
ADMIN
MEMBER
}
directive @authenticated(role: Role!) on FIELD_DEFINITION
Then, you use the directiveNode
parameter to check the arguments:
import { ValidateUserFn } from '@envelop/generic-auth'
const validateUser: ValidateUserFn<UserType> = ({ user, fieldAuthDirectiveNode }) => {
// Now you can use the fieldAuthDirectiveNode parameter to implement custom logic for user validation, with access
// to the resolver auth directive arguments.
if (!user) {
return new Error(`Unauthenticated!`)
}
const valueNode = fieldAuthDirectiveNode.arguments.find(arg => arg.name.value === 'role')
.value as EnumValueNode
const role = valueNode.value
if (role !== user.role) {
return new Error(`No permissions!`)
}
}
You can use custom field extension to pass data to your validateUser
function instead of using a
directive. Here's an example for adding role-aware authentication:
import { ValidateUserFn } from '@envelop/generic-auth'
const validateUser: ValidateUserFn<UserType> = ({ user, fieldAuthExtension }) => {
// Now you can use the fieldAuthDirectiveNode parameter to implement custom logic for user validation, with access
// to the resolver auth directive arguments.
if (!user) {
return new Error(`Unauthenticated!`)
}
const role = fieldAuthExtension.role
if (role !== user.role) {
return new Error(`No permissions!`)
}
}
const resolvers = {
Query: {
user: {
me: (_, __, { currentUser }) => currentUser,
extensions: {
directives: {
authenticated: {
role: 'USER'
}
}
}
}
}
}
You can also have access to operation variables and context via the executionArgs
parameter. This
can be useful in conjunction with the fieldAuthExtension
parameter to achieve custom per field
validation.
import { ValidateUserFn } from '@envelop/generic-auth'
const validateUser: ValidateUserFn<UserType> = ({ user, executionArgs, fieldAuthExtension }) => {
if (!user) {
return new Error(`Unauthenticated!`)
}
// You have access to the object define in the resolver tree, allowing to define any custom logic you want.
const validate = fieldAuthExtension?.validate
if (validate) {
return validate({
user,
variables: executionArgs.variableValues,
context: executionArgs.contextValue
})
}
}
const resolvers = {
Query: {
user: {
resolve: (_, { userId }) => getUser(userId),
extensions: {
directives: {
authenticated: {
validate: ({ user, variables, context }) => {
// We can now have access to the operation and variables to decide if the user can execute the query
if (user.id !== variables.userId) {
return new Error(`Unauthorized`)
}
}
}
}
}
}
}
}
FAQs
This plugin allows you to implement custom authentication flow by providing a custom user resolver based on the original HTTP request. The resolved user is injected into the GraphQL execution `context`, and you can use it in your resolvers to fetch the cu
The npm package @envelop/generic-auth receives a total of 11,111 weekly downloads. As such, @envelop/generic-auth popularity was classified as popular.
We found that @envelop/generic-auth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.