Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

@next-auth/dgraph-adapter

Package Overview
Dependencies
Maintainers
4
Versions
18
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@next-auth/dgraph-adapter

Dgraph adapter for next-auth.

  • 0.2.2-next.300
  • next
  • Source
  • npm
  • Socket score
Version published
Weekly downloads
92
increased by46.03%
Maintainers
4
Weekly downloads
 
Created
Source


    

Dgraph Adapter - NextAuth.js

Open Source. Full Stack. Own Your Data.

Overview

This is the Dgraph Adapter for next-auth. This package can only be used in conjunction with the primary next-auth package. It is not a standalone package.

You can find two Graphql schemas in the docs.

  1. The unsecure don't implement any auth directive is perfect for a quick start.
  2. The second one is more secure and require you replace some value before copy pasting it into your Dgraph console (see Securing your database).

Getting Started

  1. Install next-auth and @next-auth/dgraph-adapter
npm install next-auth @next-auth/dgraph-adapter
  1. Add this adapter to your pages/api/[...nextauth].js next-auth configuration object.
import NextAuth from "next-auth"
import { DgraphAdapter } from "@next-auth/dgraph-adapter";

// For more information on each option (and a full list of options) go to
// https://next-auth.js.org/configuration/options
export default NextAuth({
  // https://next-auth.js.org/configuration/providers
  providers: [
    ...,
  ],
  adapter: DgraphAdapter({
    endpoint: process.env.DGRAPH_GRAPHQL_ENDPOINT,
    authToken: process.env.DGRAPH_GRAPHQL_KEY,

    // you can omit the following properties if you are running an unsecure schema
    authHeader: "<YOUR AUTH HEADER>",
    jwtSecret: process.env.SECRET
  })
  ...
})

Quick start with the unsecure schema

The simplest way to use Dgraph is by copy pasting the unsecure schema into your dashboard. Then create an api client key and grab your endpoint to initialize your DgraphClient. Forget about authHeader and jwtSecret.

Securing your database

Fore sake of security and mostly if your client directly communicate with the graphql server you obviously want to restrict the access to the types used by next-auth. That's why you see a lot of @auth directive alongide this types in the schema.

Dgraph.Authorization

The first thing to do in order to secure your graphql backend is to define the Dgraph.Authorization object at the bottom of your schema and provide authHeader and jwtSecret values to the DgraphClient.

# Dgraph.Authorization {"VerificationKey":"<YOUR JWT SECRET HERE>","Header":"<YOUR AUTH HEADER HERE>","Namespace":"<YOUR CUSTOM NAMESPACE HERE>","Algo":"HS256"}

VerificationKey and jwtSecret

This is the key you use to sign the JWT. Probably your process.env.SECRET.

Header and authHeader

The Header tells Dgraph where to lookup for a jwt with auth credentials. You have to configure it a te bottom of your schema. This header is the same as the authHeader property you provide when you instantiate the DgraphClient.

Working with JWT session and @auth directive

Dgraph only works with HS256 or RS256 algorithms. If you want to use session jwt to securely interact with your dgraph database you have to customize next-auth encode and decode functions because the default algorithm is HS512. You can there going further and customize the jwt with roles if you want to implement RBAC logic.

import * as jwt from "jsonwebtoken";

export default NextAuth({

...

session: {
    jwt: true
  },
    jwt: {
      secret: process.env.SECRET,
      encode: async ({ secret, token }) => {
        return jwt.sign({
          ...token,
          userId: token.id,
          // role: "ADMIN" for RBAC
          },
          secret,
          {
          algorithm: "HS256",
          expiresIn: 30 * 24 * 60 * 60; // 30 days
        });;
      },
      decode: async ({ secret, token }) => {
        return jwt.verify(token, secret, { algorithms: ["HS256"] });
      }
  },

...

})

Once your Dgraph.Authorization define in your schema and this JWT settings set, this will allow you to define @auth rules for every part of your schema.

@auth implementation


type User
  @auth(
    ...

     query: { or: [
        {
          rule: """
              query ($userId: String!) {
                queryUser(filter: { id: { eq: $userId } } ) {
                  id
                  }
                }
                """
        },
        { rule: "{$role { eq: "ADMIN" } }" }
        { rule: "{$nextAuth { eq: true } }" },
       ]},

      ...
  ) {
  id: ID
  ...
}

Contributing

We're open to all community contributions! If you'd like to contribute in any way, please read our Contributing Guide.

License

ISC

Keywords

FAQs

Package last updated on 30 Nov 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction

Security News

Research

Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction

A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.

By Kush Pandya  -  Nov 15, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc