Authentication
Contributing
If you want to contribute a new auth provider integration we recommend you
start by implementing it as a custom auth provider in a Redwood App first. When
that works you can package it up as an npm package and publish it on your own.
You can then create a PR on this repo with support for your new auth provider
in our yarn rw setup auth
cli command. The easiest option is probably to just
look at one of the existing auth providers in
packages/cli/src/commands/setup/auth/providers
and the corresponding
templates in ../templates
.
If you need help setting up a custom auth provider there's more info in the
auth docs.
Contributing to the base auth implementation
If you want to contribute to our auth implementation, the interface towards
both auth service providers and RW apps we recommend you start looking in
authFactory.ts
and then continue to AuthProvider.tsx
. AuthProvider.tsx
has most of our implementation together with all the custom hooks it uses.
Another file to be accustomed with is AuthContext.ts
. The interface in there
has pretty good code comments, and is what will be exposed to RW apps.
getCurrentUser
getCurrentUser
returns the user information together with
an optional collection of roles used by requireAuth() to check if the user is authenticated or has role-based access.
Use in conjunction with requireAuth
in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
@param decoded - The decoded access token containing user info and JWT claims like `sub`
@param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
@param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
such as headers and cookies, and the context information about the invocation such as IP Address
Examples
Checks if currentUser is authenticated
This example is the standard use of getCurrentUser
.
export const getCurrentUser = async (
decoded,
{ _token, _type },
{ _event, _context },
) => {
return { ...decoded, roles: parseJWT({ decoded }).roles }
}
User details fetched via database query
export const getCurrentUser = async (decoded) => {
return await db.user.findUnique({ where: { decoded.email } })
}
User info is decoded from the access token
export const getCurrentUser = async (decoded) => {
return { ...decoded }
}
User info is contained in the decoded token and roles extracted
export const getCurrentUser = async (decoded) => {
return { ...decoded, roles: parseJWT({ decoded }).roles }
}
User record query by email with namespaced app_metadata roles as Auth0 requires custom JWT claims to be namespaced
export const getCurrentUser = async (decoded) => {
const currentUser = await db.user.findUnique({
where: { email: decoded.email },
})
return {
...currentUser,
roles: parseJWT({ decoded: decoded, namespace: NAMESPACE }).roles,
}
}
User record query by an identity with app_metadata roles
const getCurrentUser = async (decoded) => {
const currentUser = await db.user.findUnique({
where: { userIdentity: decoded.sub },
})
return {
...currentUser,
roles: parseJWT({ decoded: decoded }).roles,
}
}
Cookies and other request information are available in the req parameter, just in case
const getCurrentUser = async (_decoded, _raw, { event, _context }) => {
const cookies = cookie(event.headers.cookies)
const session = cookies['my.cookie.name']
const currentUser = await db.sessions.findUnique({ where: { id: session } })
return currentUser
}
requireAuth
Use requireAuth
in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
@param {string=} roles - An optional role or list of roles
@param {string[]=} roles - An optional list of roles
@returns {boolean} - If the currentUser is authenticated (and assigned one of the given roles)
@throws {AuthenticationError} - If the currentUser is not authenticated
@throws {ForbiddenError} If the currentUser is not allowed due to role permissions
Examples
Checks if currentUser is authenticated
requireAuth()
Checks if currentUser is authenticated and assigned one of the given roles
requireAuth({ role: 'admin' })
requireAuth({ role: ['editor', 'author'] })
requireAuth({ role: ['publisher'] })